From: Garrett Wollman Date: Mon, 23 Jul 2012 03:20:01 +0000 (-0400) Subject: afs_conn: make release_conns_vector() actually work X-Git-Tag: upstream/1.8.0_pre1^2~2148 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=7649a66a6193e2fd8a709bf701fcbb07774d2d33;p=packages%2Fo%2Fopenafs.git afs_conn: make release_conns_vector() actually work release_conns_vector must never have been called before with a non-null parameter, because it could not possibly work. The first line of the loop is a null pointer dereference, and if that were fixed, there's also a modify-after-free bug as well. It's not clear how what the old version was trying to do; this version makes a stab at doing something sensible but might be less than required. (Note that this would be much simpler if converted to queue(3) macros or a similar standard linked-list data structure.) Change-Id: I4c0fb7ed1ee977dcc0b4dfb32557882679069731 Reviewed-on: http://gerrit.openafs.org/7838 Tested-by: BuildBot Reviewed-by: Alistair Ferguson Reviewed-by: Derrick Brashear --- diff --git a/src/afs/afs_conn.c b/src/afs/afs_conn.c index 8b2dd7377..bdde19b4c 100644 --- a/src/afs/afs_conn.c +++ b/src/afs/afs_conn.c @@ -180,14 +180,15 @@ release_conns_user_server(struct unixuser *xu, struct server *xs) static void -release_conns_vector(struct sa_conn_vector *xcv) +release_conns_vector(struct sa_conn_vector *tcv) { int cix, glocked; struct afs_conn *tc; - struct sa_conn_vector *tcv = NULL; - struct sa_conn_vector **lcv = NULL; - for (tcv = xcv; tcv; lcv = &tcv->next, tcv = *lcv) { - *lcv = tcv->next; + struct sa_conn_vector *next; + + while (tcv != NULL) { + next = tcv->next; + /* you know it, you love it, the GLOCK */ glocked = ISAFS_GLOCK(); if (glocked) @@ -204,6 +205,7 @@ release_conns_vector(struct sa_conn_vector *xcv) if (glocked) AFS_GLOCK(); afs_osi_Free(tcv, sizeof(struct sa_conn_vector)); + tcv = next; } } /* release_conns_vector */