afs_conn: make release_conns_vector() actually work

release_conns_vector must never have been called before with
a non-null parameter, because it could not possibly work.
The first line of the loop is a null pointer dereference, and
if that were fixed, there's also a modify-after-free bug as well.
It's not clear how what the old version was trying to do; this
version makes a stab at doing something sensible but might be
less than required.  (Note that this would be much simpler if
converted to queue(3) macros or a similar standard linked-list
data structure.)

Change-Id: I4c0fb7ed1ee977dcc0b4dfb32557882679069731
Reviewed-on: http://gerrit.openafs.org/7838
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Alistair Ferguson <alistair.ferguson@mac.com>
Reviewed-by: Derrick Brashear <shadow@dementix.org>

diff --git a/src/afs/afs_conn.c b/src/afs/afs_conn.c
index 8b2dd7377182659fbedaf83e8159069ced6c7e74..bdde19b4c2f24e6b4b401fd30eaa8e7442b4a14a 100644 (file)
--- a/src/afs/afs_conn.c
+++ b/src/afs/afs_conn.c
@@ -180,14 +180,15 @@ release_conns_user_server(struct unixuser *xu, struct server *xs)
 
 
 static void
-release_conns_vector(struct sa_conn_vector *xcv)
+release_conns_vector(struct sa_conn_vector *tcv)
 {
     int cix, glocked;
     struct afs_conn *tc;
-    struct sa_conn_vector *tcv = NULL;
-    struct sa_conn_vector **lcv = NULL;
-    for (tcv = xcv; tcv; lcv = &tcv->next, tcv = *lcv) {
-        *lcv = tcv->next;
+    struct sa_conn_vector *next;
+
+    while (tcv != NULL) {
+       next = tcv->next;
+
         /* you know it, you love it, the GLOCK */
         glocked = ISAFS_GLOCK();
         if (glocked)
@@ -204,6 +205,7 @@ release_conns_vector(struct sa_conn_vector *xcv)
         if (glocked)
             AFS_GLOCK();
         afs_osi_Free(tcv, sizeof(struct sa_conn_vector));
+       tcv = next;
     }
 
 }        /* release_conns_vector */