lib: tevent: Fix bug in poll backend - poll_event_loop_poll()

If the (pfd->revents & POLLNVAL) case is triggered,
we do DLIST_REMOVE(ev->fd_events, fde); and then
use fde->next in the loop above.

Save off fde->next for loop interation before
this so we can't use a deleted ->next value.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11771

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 2be3dd1407eabe3df360ede2eab178848e34733c)

diff --git a/lib/tevent/tevent_poll.c b/lib/tevent/tevent_poll.c
index 573ba9354f0b943dda8fc4fb56039cd92316bac3..9b1781f87c52d6181119e7ec02f1307f5b3acc13 100644 (file)
--- a/lib/tevent/tevent_poll.c
+++ b/lib/tevent/tevent_poll.c
@@ -498,6 +498,7 @@ static int poll_event_loop_poll(struct tevent_context *ev,
        int timeout = -1;
        int poll_errno;
        struct tevent_fd *fde = NULL;
+       struct tevent_fd *next = NULL;
        unsigned i;
 
        if (ev->signal_events && tevent_common_check_signal(ev)) {
@@ -542,11 +543,13 @@ static int poll_event_loop_poll(struct tevent_context *ev,
           which ones and call the handler, being careful to allow
           the handler to remove itself when called */
 
-       for (fde = ev->fd_events; fde; fde = fde->next) {
+       for (fde = ev->fd_events; fde; fde = next) {
                uint64_t idx = fde->additional_flags;
                struct pollfd *pfd;
                uint16_t flags = 0;
 
+               next = fde->next;
+
                if (idx == UINT64_MAX) {
                        continue;
                }