fstrace: Avoid accessing icl log after zapping it
authorSimon Wilkinson <sxw@your-file-system.com>
Tue, 19 Feb 2013 17:15:42 +0000 (17:15 +0000)
committerJeffrey Altman <jaltman@your-file-system.com>
Sun, 24 Feb 2013 19:12:40 +0000 (11:12 -0800)
The for loop in icl_EnumerateLogs looks up the next pointer in the
current entry after zapping it. Depending on reference counts, this
may result in us looking up freed memory.

Take a copy of the next point before zapping the current entry, just
in case.

Caught by clang-analyzer

Change-Id: If38f0af2b01c5b8ea00e68e4432c6ad5517578c8
Reviewed-on: http://gerrit.openafs.org/9190
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Reviewed-by: Derrick Brashear <shadow@your-file-system.com>
Reviewed-by: Jeffrey Altman <jaltman@your-file-system.com>

src/venus/fstrace.c

index 2ed8e6e..56daa93 100644 (file)
@@ -1611,12 +1611,13 @@ icl_EnumerateLogs(int (*aproc)
                    (char *name, void *arock, struct afs_icl_log * tp),
                  void *arock)
 {
-    struct afs_icl_log *tp;
+    struct afs_icl_log *tp, *np;
     afs_int32 code;
 
     code = 0;
-    for (tp = afs_icl_allLogs; tp; tp = tp->nextp) {
+    for (tp = afs_icl_allLogs; tp; tp = np) {
        tp->refCount++;         /* hold this guy */
+       np = tp->nextp;
        code = (*aproc) (tp->name, arock, tp);
        if (--tp->refCount == 0)
            icl_ZapLog(tp);