The remove_ and delete_ functions remove the current element from the asyncio_reader_list, and free it, respectively.
We then return back to the loop at the top, wherein the asyncio_reader variable still points at the now-freed element, whose contents are now scrambled by having link pointers, etc, from internal malloc state overlaying the data. This loop should probably extract the ->link pointer prior to calling ->receiver(), as that function can free the asyncio_reader object in question. (LP: #1481388) -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to ntp in Ubuntu. https://bugs.launchpad.net/bugs/1481388 Title: NTP : Use-after-free in routing socket code after dropping root To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1481388/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
