Clear next field when returnining list elements in queue.c

[frozencemetery]

The ipa-otpd code occasionally removes elements from one queue,
inspects and modifies them, and then inserts them into
another (possibly identical, possibly different) queue. When the next
pointer isn't cleared, this can result in element membership in both
queues, leading to double frees, or even self-referential elements,
causing infinite loops at traversal time.

Rather than eliminating the pattern, make it safe by clearing the next
field any time an element enters or exits a queue.

Related https://pagure.io/freeipa/issue/7262

[Tiboris]

Could you please add line:
Related https://pagure.io/freeipa/issue/7262
into commit message?

[Tiboris]

@frozencemetery nevermind I did it myself :)

[spoore1]

FYI I tested a 4.6 version of this and it seems to fix the crash. I've run tests similar to the pagure 7262 description for many hours (12 last night, multiple tests before). I've seen no new crashes since applying this patch.

[rcritten]

It would be really great to have a unit test to test the queueing code.

[flo-renaud]

Hi,
please find an inline comment.

[frozencemetery]

Also added unit tests.

[Tiboris]

Hello @frozencemetery,
Thank you for the patch!
Sorry for nitpicking, unfortunately line with ticket number in commit message disappeared.
Could you please add it?

[flo-renaud]

Hi @frozencemetery
thank you for the patch and the tests, works for me. Waiting for the updated commit msg with a ref to the ticket, then I will ACK.

[frozencemetery]

Heh, sorry @Tiboris! Fixed now.

[flo-renaud]

master:

• fe65008 Clear next field when returnining list elements in queue.c
• ab63668 Add cmocka unit tests for ipa otpd queue code