From: Jeremy Allison <jra@samba.org>
Date: Tue, 17 Nov 2015 18:28:50 +0000 (-0800)
Subject: lib: tevent: Fix bug in poll backend - poll_event_loop_poll()
X-Git-Tag: samba-4.2.12~51
X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=1ca26eae75780a789559158ecec1afaa93f5dff4

lib: tevent: Fix bug in poll backend - poll_event_loop_poll()

If the (pfd->revents & POLLNVAL) case is triggered,
we do DLIST_REMOVE(ev->fd_events, fde); and then
use fde->next in the loop above.

Save off fde->next for loop interation before
this so we can't use a deleted ->next value.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11771

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 2be3dd1407eabe3df360ede2eab178848e34733c)
---

diff --git a/lib/tevent/tevent_poll.c b/lib/tevent/tevent_poll.c
index 573ba9354f0..9b1781f87c5 100644
--- a/lib/tevent/tevent_poll.c
+++ b/lib/tevent/tevent_poll.c
@@ -498,6 +498,7 @@ static int poll_event_loop_poll(struct tevent_context *ev,
 	int timeout = -1;
 	int poll_errno;
 	struct tevent_fd *fde = NULL;
+	struct tevent_fd *next = NULL;
 	unsigned i;
 
 	if (ev->signal_events && tevent_common_check_signal(ev)) {
@@ -542,11 +543,13 @@ static int poll_event_loop_poll(struct tevent_context *ev,
 	   which ones and call the handler, being careful to allow
 	   the handler to remove itself when called */
 
-	for (fde = ev->fd_events; fde; fde = fde->next) {
+	for (fde = ev->fd_events; fde; fde = next) {
 		uint64_t idx = fde->additional_flags;
 		struct pollfd *pfd;
 		uint16_t flags = 0;
 
+		next = fde->next;
+
 		if (idx == UINT64_MAX) {
 			continue;
 		}