From 7649a66a6193e2fd8a709bf701fcbb07774d2d33 Mon Sep 17 00:00:00 2001 From: Garrett Wollman Date: Sun, 22 Jul 2012 23:20:01 -0400 Subject: [PATCH] afs_conn: make release_conns_vector() actually work release_conns_vector must never have been called before with a non-null parameter, because it could not possibly work. The first line of the loop is a null pointer dereference, and if that were fixed, there's also a modify-after-free bug as well. It's not clear how what the old version was trying to do; this version makes a stab at doing something sensible but might be less than required. (Note that this would be much simpler if converted to queue(3) macros or a similar standard linked-list data structure.) Change-Id: I4c0fb7ed1ee977dcc0b4dfb32557882679069731 Reviewed-on: http://gerrit.openafs.org/7838 Tested-by: BuildBot Reviewed-by: Alistair Ferguson Reviewed-by: Derrick Brashear --- src/afs/afs_conn.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/src/afs/afs_conn.c b/src/afs/afs_conn.c index 8b2dd7377..bdde19b4c 100644 --- a/src/afs/afs_conn.c +++ b/src/afs/afs_conn.c @@ -180,14 +180,15 @@ release_conns_user_server(struct unixuser *xu, struct server *xs) static void -release_conns_vector(struct sa_conn_vector *xcv) +release_conns_vector(struct sa_conn_vector *tcv) { int cix, glocked; struct afs_conn *tc; - struct sa_conn_vector *tcv = NULL; - struct sa_conn_vector **lcv = NULL; - for (tcv = xcv; tcv; lcv = &tcv->next, tcv = *lcv) { - *lcv = tcv->next; + struct sa_conn_vector *next; + + while (tcv != NULL) { + next = tcv->next; + /* you know it, you love it, the GLOCK */ glocked = ISAFS_GLOCK(); if (glocked) @@ -204,6 +205,7 @@ release_conns_vector(struct sa_conn_vector *xcv) if (glocked) AFS_GLOCK(); afs_osi_Free(tcv, sizeof(struct sa_conn_vector)); + tcv = next; } } /* release_conns_vector */ -- 2.39.5