Browse code

rr: reset lump pointer to avoid using it after free for remove rr function

(cherry picked from commit f03c86ade6af9bc529a52f7fd50004721278ae19)

Daniel-Constantin Mierla authored on 14/05/2015 12:41:44
Showing 1 changed files
... ...
@@ -445,13 +445,11 @@ static void free_rr_lump(struct lump **list)
445 445
 				are in failure_route. -- No problem, only the
446 446
 				anchor is left in the list */
447 447
 				
448
-				LOG(L_DBG, "DEBUG: free_rr_lump: lump %p" \
449
-						" is left in the list\n",
448
+				LM_DBG("lump %p is left in the list\n",
450 449
 						lump);
451 450
 				
452 451
 				if (lump->len)
453
-				    LOG(L_CRIT, "BUG: free_rr_lump: lump %p" \
454
-						" can not be removed, but len=%d\n",
452
+				    LM_CRIT("lump %p can not be removed, but len=%d\n",
455 453
 						lump, lump->len);
456 454
 						
457 455
 				prev_lump=lump;
... ...
@@ -460,14 +458,16 @@ static void free_rr_lump(struct lump **list)
460 458
 				else *list = lump->next;
461 459
 				if (!(lump->flags&(LUMPFLAG_DUPED|LUMPFLAG_SHMEM)))
462 460
 					free_lump(lump);
463
-				if (!(lump->flags&LUMPFLAG_SHMEM))
461
+				if (!(lump->flags&LUMPFLAG_SHMEM)) {
464 462
 					pkg_free(lump);
463
+					lump = 0;
464
+				}
465 465
 			}
466 466
 		} else {
467 467
 			/* store previous position */
468 468
 			prev_lump=lump;
469 469
 		}
470
-		if (first_shmem && (lump->flags&LUMPFLAG_SHMEM))
470
+		if (first_shmem && lump && (lump->flags&LUMPFLAG_SHMEM))
471 471
 			first_shmem=0;
472 472
 	}
473 473
 }