From d84afed05b37d4487481f30529e279061c422c10 Mon Sep 17 00:00:00 2001
From: Kurt Zeilenga <kurt@openldap.org>
Date: Thu, 17 Aug 2006 04:43:57 +0000
Subject: [PATCH] don't risk using dangling pointers when looping thru
 connections (ITS#4405)

---
 CHANGES                    |  1 +
 libraries/libldap/result.c | 20 +++++++++++++-------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/CHANGES b/CHANGES
index 843bf38628..762fd86c4d 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,7 @@ OpenLDAP 2.3 Change Log
 
 OpenLDAP 2.3.26 Release
 	Fixed libldap dnssrv bug with "not present" positive statement (ITS#4610)
+	Fixed libldap dangling pointer issue (ITS#4405)
 	Fixed slapd incorrect rebuilding of replica URI (ITS#4633)
 	Fixed slapd-monitor operations order via callbacks (ITS#4631)
 	Fixed slapo-accesslog purge task during shutdown
diff --git a/libraries/libldap/result.c b/libraries/libldap/result.c
index b33afc48e4..7e0bad24ba 100644
--- a/libraries/libldap/result.c
+++ b/libraries/libldap/result.c
@@ -233,7 +233,7 @@ wait4msg(
 			*tvp;
 	time_t		start_time = 0;
 	time_t		tmp_time;
-	LDAPConn	*lc, *nextlc;
+	LDAPConn	*lc;
 
 	assert( ld != NULL );
 	assert( result != NULL );
@@ -277,8 +277,7 @@ wait4msg(
 #ifdef LDAP_R_COMPILE
 			ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
 #endif
-			for ( lc = ld->ld_conns; lc != NULL; lc = nextlc ) {
-				nextlc = lc->lconn_next;
+			for ( lc = ld->ld_conns; lc != NULL; lc = lc->lconn_next ) {
 				if ( ber_sockbuf_ctrl( lc->lconn_sb,
 						LBER_SB_OPT_DATA_READY, NULL ) ) {
 #ifdef LDAP_R_COMPILE
@@ -333,10 +332,10 @@ wait4msg(
 					ldap_pvt_thread_mutex_unlock( &ld->ld_req_mutex );
 					ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
 #endif
-					for ( lc = ld->ld_conns; rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL;
-						lc = nextlc )
+					for ( lc = ld->ld_conns;
+						rc == LDAP_MSG_X_KEEP_LOOKING && lc != NULL;
+						lc = lc->lconn_next )
 					{
-						nextlc = lc->lconn_next;
 						if ( lc->lconn_status == LDAP_CONNST_CONNECTED &&
 							ldap_is_read_ready( ld, lc->lconn_sb ))
 						{
@@ -344,10 +343,17 @@ wait4msg(
 							ldap_pvt_thread_mutex_unlock( &ld->ld_conn_mutex );
 #endif
 							rc = try_read1msg( ld, msgid, all, &lc, result );
-								if ( lc == NULL ) lc = nextlc;
 #ifdef LDAP_R_COMPILE
 							ldap_pvt_thread_mutex_lock( &ld->ld_conn_mutex );
 #endif
+							if ( lc == NULL ) {
+								/* if lc gets free()'d,
+								 * there's no guarantee
+								 * lc->lconn_next is still
+								 * sane; better restart
+								 * (ITS#4405) */
+								lc = ld->ld_conns;
+							}
 						}
 					}
 #ifdef LDAP_R_COMPILE
-- 
2.39.5