[Common] Fix use-after-free in LISTP_FOR_EACH_ENTRY_SAFE

If we iterate over the list, deleting all elements, after the last iteration TMP is going to point to an already-freed element. Because of that, we're not allowed to dereference it after the last iteration. Signed-off-by: Paweł Marczewski <pawel@invisiblethingslab.com>
gramineproject · Sep 10, 2021 · b8c121c · b8c121c
1 parent d2645b4
commit b8c121c
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/common/include/list.h b/common/include/list.h
@@ -272,8 +272,8 @@
          (HEAD)->first &&                                                                          \
          (first_iter || (CURSOR) != (HEAD)->first);                                                \
          /* Handle the case where the first element was removed. */                                \
-         first_iter = first_iter && (TMP) != (CURSOR) && (HEAD)->first == (TMP), (CURSOR) = (TMP), \
-              (TMP) = (TMP)->FIELD.next)
+         first_iter = first_iter && (TMP) != (CURSOR) && (HEAD)->first == (TMP),                   \
+             ((TMP) != (CURSOR) && ((CURSOR) = (TMP), (TMP) = (TMP)->FIELD.next)))
 
 /* Continue safe iteration with CURSOR->next */
 #define LISTP_FOR_EACH_ENTRY_SAFE_CONTINUE(CURSOR, TMP, HEAD, FIELD)    \