From c77fbd2cf9a555e12597d5a671a534fa7140e523 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sat, 11 Jan 2014 08:58:05 +0100
Subject: [PATCH] tevent: fix crash bug in tevent_queue_immediate_trigger()

Assume we we have a queue with 2 entries (A and B with triggerA() and triggerB()).
If triggerA() removes itself tevent_queue_entry_destructor() will be called
for A, this schedules the immediate event to call triggerB().
If triggerA() then also removes B by an explicit of implizit talloc_free(),
q->list is NULL, but the immediate event is still scheduled and can't be unscheduled.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 7fe5584e2a59584431cb2ddf8a4da22bfb924454)
---
 lib/tevent/tevent_queue.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/tevent/tevent_queue.c b/lib/tevent/tevent_queue.c
index 4750675802f..eeb922fbbc8 100644
--- a/lib/tevent/tevent_queue.c
+++ b/lib/tevent/tevent_queue.c
@@ -140,6 +140,10 @@ static void tevent_queue_immediate_trigger(struct tevent_context *ev,
 		return;
 	}
 
+	if (!q->list) {
+		return;
+	}
+
 	q->list->triggered = true;
 	q->list->trigger(q->list->req, q->list->private_data);
 }
-- 
2.11.4.GIT