diff options
| author |   otto <otto@openbsd.org> | 2005-10-17 20:19:42 +0000 |
|---|---|---|
| committer | otto <otto@openbsd.org> | 2005-10-17 20:19:42 +0000 |
| commit | 19a8338fed5964f8f2f0e64919109db12f26f4b2 (patch) | |
| tree | fea02d7c180f6927e1da818cce6fcf20c5c16e71 /sys/sys/queue.h | |
| parent | make undo of word-based capitalization functions work (diff) | |
| download | wireguard-openbsd-19a8338fed5964f8f2f0e64919109db12f26f4b2.tar.xz wireguard-openbsd-19a8338fed5964f8f2f0e64919109db12f26f4b2.zip | |
Performing certain operations on queue.h data structurs produced
funny results. An example is calling LIST_REMOVE on the same
element twice. This will not fail, but result in a data structure
referencing who knows what. Prevent these accidents by NULLing some
fields on remove and replace. This way, either a panic or segfault
will be produced on the faulty operation.
Tested by many, ok deraadt@
Diffstat (limited to 'sys/sys/queue.h')
| -rw-r--r-- | sys/sys/queue.h | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/sys/sys/queue.h b/sys/sys/queue.h index 82ec5f7fa7c..ed31d4ac564 100644 --- a/sys/sys/queue.h +++ b/sys/sys/queue.h @@ -1,4 +1,4 @@ -/* $OpenBSD: queue.h,v 1.27 2005/02/25 13:29:30 deraadt Exp $ */ +/* $OpenBSD: queue.h,v 1.28 2005/10/17 20:19:42 otto Exp $ */ /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ /* @@ -151,6 +151,7 @@ struct { \ curelm = curelm->field.sle_next; \ curelm->field.sle_next = \ curelm->field.sle_next->field.sle_next; \ + (elm)->field.sle_next = NULL; \ } \ } while (0) @@ -218,6 +219,8 @@ struct { \ (elm)->field.le_next->field.le_prev = \ (elm)->field.le_prev; \ *(elm)->field.le_prev = (elm)->field.le_next; \ + (elm)->field.le_prev = NULL; \ + (elm)->field.le_next = NULL; \ } while (0) #define LIST_REPLACE(elm, elm2, field) do { \ @@ -226,6 +229,8 @@ struct { \ &(elm2)->field.le_next; \ (elm2)->field.le_prev = (elm)->field.le_prev; \ *(elm2)->field.le_prev = (elm2); \ + (elm)->field.le_prev = NULL; \ + (elm)->field.le_next = NULL; \ } while (0) /* @@ -380,6 +385,8 @@ struct { \ else \ (head)->tqh_last = (elm)->field.tqe_prev; \ *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ + (elm)->field.tqe_prev = NULL; \ + (elm)->field.tqe_next = NULL; \ } while (0) #define TAILQ_REPLACE(head, elm, elm2, field) do { \ @@ -390,6 +397,8 @@ struct { \ (head)->tqh_last = &(elm2)->field.tqe_next; \ (elm2)->field.tqe_prev = (elm)->field.tqe_prev; \ *(elm2)->field.tqe_prev = (elm2); \ + (elm)->field.tqe_prev = NULL; \ + (elm)->field.tqe_next = NULL; \ } while (0) /* @@ -490,6 +499,8 @@ struct { \ else \ (elm)->field.cqe_prev->field.cqe_next = \ (elm)->field.cqe_next; \ + (elm)->field.cqe_next = NULL; \ + (elm)->field.cqe_prev = NULL; \ } while (0) #define CIRCLEQ_REPLACE(head, elm, elm2, field) do { \ @@ -503,6 +514,8 @@ struct { \ (head).cqh_first = (elm2); \ else \ (elm2)->field.cqe_prev->field.cqe_next = (elm2); \ + (elm)->field.cqe_next = NULL; \ + (elm)->field.cqe_prev = NULL; \ } while (0) #endif /* !_SYS_QUEUE_H_ */ |