The for loop in icl_EnumerateLogs looks up the next pointer in the
current entry after zapping it. Depending on reference counts, this
may result in us looking up freed memory.
Take a copy of the next point before zapping the current entry, just
in case.
Caught by clang-analyzer
Change-Id: If38f0af2b01c5b8ea00e68e4432c6ad5517578c8
Reviewed-on: http://gerrit.openafs.org/9190
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>
(char *name, void *arock, struct afs_icl_log * tp),
void *arock)
{
- struct afs_icl_log *tp;
+ struct afs_icl_log *tp, *np;
afs_int32 code;
code = 0;
- for (tp = afs_icl_allLogs; tp; tp = tp->nextp) {
+ for (tp = afs_icl_allLogs; tp; tp = np) {
tp->refCount++; /* hold this guy */
+ np = tp->nextp;
code = (*aproc) (tp->name, arock, tp);
if (--tp->refCount == 0)
icl_ZapLog(tp);