From 3dab0c9b0ba7ce6f15c9a9c3fb45188edf8ce307 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Thu, 22 Dec 2011 18:09:36 +0100
Subject: [PATCH] rb_tree: fix possible access-after-free-error in
 trbt_traversearray32_node

When the traverse callback frees the current node, the traverse of the
rbtree can fail (the next node->right fails since node is not there any more...).
This is fixed by introducing variables to store the right (and left)
pointers before the callback is called.

(This used to be ctdb commit 8b0caaeed154d26c67a73659d3bbbdd63b21be11)
---
 ctdb/common/rb_tree.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/ctdb/common/rb_tree.c b/ctdb/common/rb_tree.c
index 8458c510bea..bff7c5a4c4f 100644
--- a/ctdb/common/rb_tree.c
+++ b/ctdb/common/rb_tree.c
@@ -921,9 +921,12 @@ trbt_traversearray32_node(trbt_node_t *node, uint32_t keylen,
 	int (*callback)(void *param, void *data), 
 	void *param)
 {
-	if (node->left) {
+	trbt_node_t *left = node->left;
+	trbt_node_t *right = node->right;
+
+	if (left) {
 		int ret;
-		ret = trbt_traversearray32_node(node->left, keylen, callback, param);
+		ret = trbt_traversearray32_node(left, keylen, callback, param);
 		if (ret != 0) {
 			return ret;
 		}
@@ -949,10 +952,10 @@ trbt_traversearray32_node(trbt_node_t *node, uint32_t keylen,
 		}
 	}
 
-	if (node->right) {
+	if (right) {
 		int ret;
 
-		ret = trbt_traversearray32_node(node->right, keylen, callback, param);
+		ret = trbt_traversearray32_node(right, keylen, callback, param);
 		if (ret != 0) {
 			return ret;
 		}
-- 
2.11.4.GIT