don't risk using dangling pointers when looping thru connections (ITS#4405)

d84afed0 · Kurt Zeilenga · 8ac01e3c · d84afed0 · d84afed0
Commit d84afed0 authored Aug 17, 2006 by Kurt Zeilenga
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.3 Change Log

 OpenLDAP 2.3.26 Release
 	Fixed libldap dnssrv bug with "not present" positive statement (ITS#4610)
+	Fixed libldap dangling pointer issue (ITS#4405)
 	Fixed slapd incorrect rebuilding of replica URI (ITS#4633)
 	Fixed slapd-monitor operations order via callbacks (ITS#4631)
 	Fixed slapo-accesslog purge task during shutdown

--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -233,7 +233,7 @@ wait4msg(
 			*tvp;
 	time_t		start_time = 0;
 	time_t		tmp_time;
-	LDAPConn	*lc, *nextlc;
+	LDAPConn	*lc;

 	assert( ld != NULL );
 	assert( result != NULL );
@@ -277,8 +277,7 @@ wait4msg(
 #ifdef LDAP_R_COMPILE
 			ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
 #endif
-			for ( lc = ld->ld_conns; lc != NULL; lc = nextlc ) {
-				nextlc = lc->lconn_next;
+			for ( lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next ) {
 				if ( ber_sockbuf_ctrl( lc->lconn_sb,
 						LBER_SB_OPT_DATA_READY, NULL ) ) {
 #ifdef LDAP_R_COMPILE
@@ -333,10 +332,10 @@ wait4msg(
 					ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
 					ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
 #endif
-					for ( lc = ld->ld_conns; rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL;
-						lc = nextlc )
+					for ( lc = ld->ld_conns;
+						rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL;
+						lc = lc->lconn_next )
 					{
-						nextlc = lc->lconn_next;
 						if ( lc->lconn_status == LDAP_CONNST_CONNECTED &&
 							ldap_is_read_ready( ld, lc->lconn_sb ))
 						{
@@ -344,10 +343,17 @@ wait4msg(
 							ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex );
 #endif
 							rc = try_read1msg( ld, msgid, all, &lc, result );
-								if ( lc == NULL ) lc = nextlc;
 #ifdef LDAP_R_COMPILE
 							ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
 #endif
+							if ( lc == NULL ) {
+								/* if lc gets free()'d,
+								 * there's no guarantee
+								 * lc->lconn_next is still
+								 * sane; better restart
+								 * (ITS#4405) */
+								lc = ld->ld_conns;
+							}
 						}
 					}
 #ifdef LDAP_R_COMPILE