From eb4368602284057b6af5cd98d04dc1df719304d5 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Fri, 16 Jan 2015 16:33:29 +0100 Subject: Fix use-after-free in _internal_removeserversubrealms(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Stephen Röttger. --- radsecproxy.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/radsecproxy.c b/radsecproxy.c index 6ac29f7..c83cef4 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -790,6 +790,7 @@ int hasdynamicserver(struct list *srvconfs) { void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *srv) { struct list_node *entry, *entry2; struct realm *realm; + struct list *srvconfs; for (entry = list_first(realmlist); entry;) { realm = newrealmref((struct realm *)entry->data); @@ -797,16 +798,18 @@ void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *s entry = list_next(entry); if (realm->srvconfs) { + srvconfs = realm->srvconfs; for (entry2 = list_first(realm->srvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); - list_removedata(realm->srvconfs, srv); + list_removedata(srvconfs, srv); } if (realm->accsrvconfs) { + srvconfs = realm->accsrvconfs; for (entry2 = list_first(realm->accsrvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); - list_removedata(realm->accsrvconfs, srv); + list_removedata(srvconfs, srv); } /* remove subrealm if no dynamic servers left */ -- cgit v1.1