From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 20 Apr 2017 22:13:14 +0000 (-0600)
Subject: Use the standard idiom for popping all entries from a tail queue.
X-Git-Tag: SUDO_1_8_20^2~38
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9f1afe23fe0b79936dbcf3be0bb629d16aea10d2;p=sudo

Use the standard idiom for popping all entries from a tail queue.
The llvm checker gets confused by TAILQ_REMOVE and generate
use-after-free false positives.
---

diff --git a/src/exec_pty.c b/src/exec_pty.c
index a983dbb15..7e12acbbf 100644
--- a/src/exec_pty.c
+++ b/src/exec_pty.c
@@ -1061,8 +1061,7 @@ sigfwd_cb(int sock, int what, void *v)
     ssize_t nsent;
     debug_decl(sigfwd_cb, SUDO_DEBUG_EXEC)
 
-    while (!TAILQ_EMPTY(&ec->sigfwd_list)) {
-	sigfwd = TAILQ_FIRST(&ec->sigfwd_list);
+    while ((sigfwd = TAILQ_FIRST(&ec->sigfwd_list)) != NULL) {
 	if (sigfwd->signo == SIGCONT_FG)
 	    strlcpy(signame, "CONT_FG", sizeof(signame));
 	else if (sigfwd->signo == SIGCONT_BG)
@@ -1080,14 +1079,13 @@ sigfwd_cb(int sock, int what, void *v)
 	free(sigfwd);
 	if (nsent != sizeof(cstat)) {
 	    if (errno == EPIPE) {
-		struct sigforward *sigfwd_next;
 		sudo_debug_printf(SUDO_DEBUG_ERROR,
 		    "broken pipe writing to child over backchannel");
 		/* Other end of socket gone, empty out sigfwd_list. */
-		TAILQ_FOREACH_SAFE(sigfwd, &ec->sigfwd_list, entries, sigfwd_next) {
+		while ((sigfwd = TAILQ_FIRST(&ec->sigfwd_list)) != NULL) {
+		    TAILQ_REMOVE(&ec->sigfwd_list, sigfwd, entries);
 		    free(sigfwd);
 		}
-		TAILQ_INIT(&ec->sigfwd_list);
 		/* XXX - child (monitor) is dead, we should exit too? */
 	    }
 	    break;