Bug 1622165 - ipa-otpd: fix potential double-free and infinite loop in queue code
Summary: ipa-otpd: fix potential double-free and infinite loop in queue code
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: IPA Maintainers
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/freeipa/freeipa/pu...
Whiteboard:
Depends On:
Blocks: 1622166 1622168
TreeView+ depends on / blocked
 
Reported: 2018-08-24 14:56 UTC by Robbie Harwood
Modified: 2019-03-18 14:51 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
: 1622166 (view as bug list)
Environment:
Last Closed: 2019-03-18 14:51:40 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robbie Harwood 2018-08-24 14:56:15 UTC 
Upstream PR: https://github.com/freeipa/freeipa/pull/2283

The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.

Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.
Comment 1 Florence Blanc-Renaud 2018-11-19 07:42:28 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/fe650087b0dd35b3dd23347e98647fdc526614f8
https://pagure.io/freeipa/c/ab636682c4a0274d411c702ca62a6d26ab8b7869

ipa-4-5:
https://pagure.io/freeipa/c/b2d4d7a23f4288ed5f840626bb090c57c66950fa
https://pagure.io/freeipa/c/84883e41ad09cb32f3af9d88db5aad2682877494

ipa-4-6:
https://pagure.io/freeipa/c/b0b37d4ed92585f980443ad8dcbee29c38ac3bc9
https://pagure.io/freeipa/c/d0b23ec375db02090abb2a5ff5a83d5ff756b871

ipa-4-7:
https://pagure.io/freeipa/c/2dae9e28b3b508f43af293ae8602f9208ed3c4e0
https://pagure.io/freeipa/c/56ec7c8c2cca40c71b7129ab07aa5bac64239133

Fix available in FreeIPA 4.7.1
Note You need to log in before you can comment on or make changes to this bug.