diff options
| author | Otto Moerbeek <otto@cvs.openbsd.org> | 2005-10-17 20:19:43 +0000 |
|---|---|---|
| committer | Otto Moerbeek <otto@cvs.openbsd.org> | 2005-10-17 20:19:43 +0000 |
| commit | 88b2b7477f8d1c791bf8b337d636216e308c4499 (patch) | |
| tree | a7a96d8f150ab7ad8a9fa778988a1c9d8fd9cd77 /sys | |
| parent | 4a0ed5cca7e7946257e03b643c53682e20a89bf2 (diff) | |
Performing certain operations on queue.h data structurs produced
funny results. An example is calling LIST_REMOVE on the same
element twice. This will not fail, but result in a data structure
referencing who knows what. Prevent these accidents by NULLing some
fields on remove and replace. This way, either a panic or segfault
will be produced on the faulty operation.
Tested by many, ok deraadt@
Diffstat (limited to 'sys')
| -rw-r--r-- | sys/sys/queue.h | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/sys/sys/queue.h b/sys/sys/queue.h index 82ec5f7fa7c..ed31d4ac564 100644 --- a/sys/sys/queue.h +++ b/sys/sys/queue.h @@ -1,4 +1,4 @@ -/* $OpenBSD: queue.h,v 1.27 2005/02/25 13:29:30 deraadt Exp $ */ +/* $OpenBSD: queue.h,v 1.28 2005/10/17 20:19:42 otto Exp $ */ /* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ /* @@ -151,6 +151,7 @@ struct { \ curelm = curelm->field.sle_next; \ curelm->field.sle_next = \ curelm->field.sle_next->field.sle_next; \ + (elm)->field.sle_next = NULL; \ } \ } while (0) @@ -218,6 +219,8 @@ struct { \ (elm)->field.le_next->field.le_prev = \ (elm)->field.le_prev; \ *(elm)->field.le_prev = (elm)->field.le_next; \ + (elm)->field.le_prev = NULL; \ + (elm)->field.le_next = NULL; \ } while (0) #define LIST_REPLACE(elm, elm2, field) do { \ @@ -226,6 +229,8 @@ struct { \ &(elm2)->field.le_next; \ (elm2)->field.le_prev = (elm)->field.le_prev; \ *(elm2)->field.le_prev = (elm2); \ + (elm)->field.le_prev = NULL; \ + (elm)->field.le_next = NULL; \ } while (0) /* @@ -380,6 +385,8 @@ struct { \ else \ (head)->tqh_last = (elm)->field.tqe_prev; \ *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ + (elm)->field.tqe_prev = NULL; \ + (elm)->field.tqe_next = NULL; \ } while (0) #define TAILQ_REPLACE(head, elm, elm2, field) do { \ @@ -390,6 +397,8 @@ struct { \ (head)->tqh_last = &(elm2)->field.tqe_next; \ (elm2)->field.tqe_prev = (elm)->field.tqe_prev; \ *(elm2)->field.tqe_prev = (elm2); \ + (elm)->field.tqe_prev = NULL; \ + (elm)->field.tqe_next = NULL; \ } while (0) /* @@ -490,6 +499,8 @@ struct { \ else \ (elm)->field.cqe_prev->field.cqe_next = \ (elm)->field.cqe_next; \ + (elm)->field.cqe_next = NULL; \ + (elm)->field.cqe_prev = NULL; \ } while (0) #define CIRCLEQ_REPLACE(head, elm, elm2, field) do { \ @@ -503,6 +514,8 @@ struct { \ (head).cqh_first = (elm2); \ else \ (elm2)->field.cqe_prev->field.cqe_next = (elm2); \ + (elm)->field.cqe_next = NULL; \ + (elm)->field.cqe_prev = NULL; \ } while (0) #endif /* !_SYS_QUEUE_H_ */ |