From: Jon Maloy <jon.ma...@ericsson.com> Date: Tue, 17 Apr 2018 21:25:42 +0200
> When we delete a service item in tipc_nametbl_stop() we loop over > all service ranges in the service's RB tree, and for each service > range we loop over its pertaining publications while calling > tipc_service_remove_publ() for each of them. > > However, tipc_service_remove_publ() has the side effect that it also > removes the comprising service range item when there are no publications > left. This leads to a "use-after-free" access when the inner loop > continues to the next iteration, since the range item holding the list > we are looping no longer exists. > > We fix this by moving the delete of the service range item outside > the said function. Instead, we now let the two functions calling it > test if the list is empty and perform the removal when that is the > case. > > Reported-by: syzbot+d64b64afc55660106...@syzkaller.appspotmail.com > Signed-off-by: Jon Maloy <jon.ma...@ericsson.com> Applied.
