ldap_pvt_runqueue_next_sched() may return a pointer to data that's freed by task...

diff --git a/include/ldap_rq.h b/include/ldap_rq.h
index 3e124778c9d4380129b1da9d2691e7d49f6988b5..1e3aea16f161a9dbd23eb52b8a9720c3e3854fc9 100644 (file)
--- a/include/ldap_rq.h
+++ b/include/ldap_rq.h
@@ -63,7 +63,7 @@ ldap_pvt_runqueue_remove(
 LDAP_F( struct re_s* )
 ldap_pvt_runqueue_next_sched(
        struct runqueue_s* rq,
-       struct timeval** next_run
+       struct timeval* next_run
 );
 
 LDAP_F( void )

diff --git a/libraries/libldap_r/rq.c b/libraries/libldap_r/rq.c
index 2ee0db61007b0d632bc302967a7b1f4b519ec5e7..e692c628ed1f2e52cd04b120f0dc556157a831c6 100644 (file)
--- a/libraries/libldap_r/rq.c
+++ b/libraries/libldap_r/rq.c
@@ -99,20 +99,16 @@ ldap_pvt_runqueue_remove(
 struct re_s*
 ldap_pvt_runqueue_next_sched(
        struct runqueue_s* rq,
-       struct timeval** next_run
+       struct timeval* next_run
 )
 {
        struct re_s* entry;
 
        entry = LDAP_STAILQ_FIRST( &rq->task_list );
-       if ( entry == NULL ) {
-               *next_run = NULL;
-               return NULL;
-       } else if ( entry->next_sched.tv_sec == 0 ) {
-               *next_run = NULL;
+       if ( entry == NULL || entry->next_sched.tv_sec == 0 ) {
                return NULL;
        } else {
-               *next_run = &entry->next_sched;
+               *next_run = entry->next_sched;
                return entry;
        }
 }

diff --git a/servers/slapd/daemon.c b/servers/slapd/daemon.c
index 8d44358f4c124d29c59a863648b48693ae426ea0..4e93170bc1eb0b5527b300b455df6d92f55c1d54 100644 (file)
--- a/servers/slapd/daemon.c
+++ b/servers/slapd/daemon.c
@@ -1729,7 +1729,7 @@ slapd_daemon_task(
                struct timeval          tv;
                struct timeval          *tvp;
 
-               struct timeval          *cat;
+               struct timeval          cat;
                time_t                          tdelta = 1;
                struct re_s*            rtask;
                now = slap_get_time();
@@ -1810,7 +1810,7 @@ slapd_daemon_task(
 
                ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
                rtask = ldap_pvt_runqueue_next_sched( &slapd_rq, &cat );
-               while ( cat && cat->tv_sec && cat->tv_sec <= now ) {
+               while ( rtask && cat.tv_sec && cat.tv_sec <= now ) {
                        if ( ldap_pvt_runqueue_isrunning( &slapd_rq, rtask )) {
                                ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 );
                        } else {
@@ -1818,15 +1818,15 @@ slapd_daemon_task(
                                ldap_pvt_runqueue_resched( &slapd_rq, rtask, 0 );
                                ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
                                ldap_pvt_thread_pool_submit( &connection_pool,
-                                                                                       rtask->routine, (void *) rtask );
+                                       rtask->routine, (void *) rtask );
                                ldap_pvt_thread_mutex_lock( &slapd_rq.rq_mutex );
                        }
                        rtask = ldap_pvt_runqueue_next_sched( &slapd_rq, &cat );
                }
                ldap_pvt_thread_mutex_unlock( &slapd_rq.rq_mutex );
 
-               if ( cat && cat->tv_sec ) {
-                       time_t diff = difftime( cat->tv_sec, now );
+               if ( rtask && cat.tv_sec ) {
+                       time_t diff = difftime( cat.tv_sec, now );
                        if ( diff == 0 ) diff = tdelta;
                        if ( tvp == NULL || diff < tv.tv_sec ) {
                                tv.tv_sec = diff;