- otto@cvs.openbsd.org 2005/10/17 20:19:42

[openbsd-compat/sys-queue.h] Performing certain operations on queue.h data structurs produced funny results. An example is calling LIST_REMOVE on the same element twice. This will not fail, but result in a data structure referencing who knows what. Prevent these accidents by NULLing some fields on remove and replace. This way, either a panic or segfault will be produced on the faulty operation.
2007-10-26 16:42:18 +10:00 · 2007-10-26 16:42:18 +10:00 · 9aeef6b50d
parent d129ecb0f9
commit 9aeef6b50d
2 changed files with 23 additions and 2 deletions
--- a/10
+++ b/10
@ -102,6 +102,14 @@
   - deraadt@cvs.openbsd.org 2005/02/25 13:29:30
     [openbsd-compat/sys-queue.h]
     minor white spacing
+   - otto@cvs.openbsd.org 2005/10/17 20:19:42
+     [openbsd-compat/sys-queue.h]
+     Performing certain operations on queue.h data structurs produced
+     funny results.  An example is calling  LIST_REMOVE on the same
+     element twice. This will not fail, but result in a data structure
+     referencing who knows what. Prevent these accidents by NULLing some
+     fields on remove and replace. This way, either a panic or segfault
+     will be produced on the faulty operation.
 - (djm) [regress/sftp-cmds.sh]
   Use more restrictive glob to pick up test files from /bin - some platforms
   ship broken symlinks there which could spoil the test.
@ -3378,4 +3386,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@

-$Id: ChangeLog,v 1.4787 2007/10/26 06:41:14 djm Exp $
+$Id: ChangeLog,v 1.4788 2007/10/26 06:42:18 djm Exp $
--- a/openbsd-compat/sys-queue.h
+++ b/openbsd-compat/sys-queue.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: queue.h,v 1.27 2005/02/25 13:29:30 deraadt Exp $	*/
+/*	$OpenBSD: queue.h,v 1.28 2005/10/17 20:19:42 otto Exp $	*/
 /*	$NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $	*/

 /*
@ -236,6 +236,7 @@ struct {								\
 			curelm = curelm->field.sle_next;		\
 		curelm->field.sle_next =				\
 		    curelm->field.sle_next->field.sle_next;		\
+		(elm)->field.sle_next = NULL;				\
 	}								\
 } while (0)

@ -303,6 +304,8 @@ struct {								\
 		(elm)->field.le_next->field.le_prev =			\
 		    (elm)->field.le_prev;				\
 	*(elm)->field.le_prev = (elm)->field.le_next;			\
+	(elm)->field.le_prev = NULL; 					\
+	(elm)->field.le_next = NULL;					\
 } while (0)

 #define LIST_REPLACE(elm, elm2, field) do {				\
@ -311,6 +314,8 @@ struct {								\
 		    &(elm2)->field.le_next;				\
 	(elm2)->field.le_prev = (elm)->field.le_prev;			\
 	*(elm2)->field.le_prev = (elm2);				\
+	(elm)->field.le_prev = NULL; 					\
+	(elm)->field.le_next = NULL;					\
 } while (0)

 /*
@ -465,6 +470,8 @@ struct {								\
 	else								\
 		(head)->tqh_last = (elm)->field.tqe_prev;		\
 	*(elm)->field.tqe_prev = (elm)->field.tqe_next;			\
+	(elm)->field.tqe_prev = NULL; 					\
+	(elm)->field.tqe_next = NULL;					\
 } while (0)

 #define TAILQ_REPLACE(head, elm, elm2, field) do {			\
@ -475,6 +482,8 @@ struct {								\
 		(head)->tqh_last = &(elm2)->field.tqe_next;		\
 	(elm2)->field.tqe_prev = (elm)->field.tqe_prev;			\
 	*(elm2)->field.tqe_prev = (elm2);				\
+	(elm)->field.tqe_prev = NULL; 					\
+	(elm)->field.tqe_next = NULL;					\
 } while (0)

 /*
@ -575,6 +584,8 @@ struct {								\
 	else								\
 		(elm)->field.cqe_prev->field.cqe_next =			\
 		    (elm)->field.cqe_next;				\
+	(elm)->field.cqe_next = NULL;					\
+	(elm)->field.cqe_prev = NULL;					\
 } while (0)

 #define CIRCLEQ_REPLACE(head, elm, elm2, field) do {			\
@ -588,6 +599,8 @@ struct {								\
 		(head).cqh_first = (elm2);				\
 	else								\
 		(elm2)->field.cqe_prev->field.cqe_next = (elm2);	\
+	(elm)->field.cqe_next = NULL;					\
+	(elm)->field.cqe_prev = NULL;					\
 } while (0)

 #endif	/* !_FAKE_QUEUE_H_ */