Bug 1622165

Summary: ipa-otpd: fix potential double-free and infinite loop in queue code
Product: [Fedora] Fedora Reporter: Robbie Harwood <rharwood>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: abokovoy, frenaud, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
URL: https://github.com/freeipa/freeipa/pull/2283
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1622166 (view as bug list) Environment:
Last Closed: 2019-03-18 14:51:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1622166, 1622168    

Description Robbie Harwood 2018-08-24 14:56:15 UTC 
Upstream PR: https://github.com/freeipa/freeipa/pull/2283

The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.

Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Comment 1 Florence Blanc-Renaud 2018-11-19 07:42:28 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/fe650087b0dd35b3dd23347e98647fdc526614f8
https://pagure.io/freeipa/c/ab636682c4a0274d411c702ca62a6d26ab8b7869

ipa-4-5:
https://pagure.io/freeipa/c/b2d4d7a23f4288ed5f840626bb090c57c66950fa
https://pagure.io/freeipa/c/84883e41ad09cb32f3af9d88db5aad2682877494

ipa-4-6:
https://pagure.io/freeipa/c/b0b37d4ed92585f980443ad8dcbee29c38ac3bc9
https://pagure.io/freeipa/c/d0b23ec375db02090abb2a5ff5a83d5ff756b871

ipa-4-7:
https://pagure.io/freeipa/c/2dae9e28b3b508f43af293ae8602f9208ed3c4e0
https://pagure.io/freeipa/c/56ec7c8c2cca40c71b7129ab07aa5bac64239133

Fix available in FreeIPA 4.7.1