From: Benjamin Kaduk <bkaduk@akamai.com>
Date: Fri, 27 Oct 2017 14:54:14 +0000 (-0500)
Subject: Prevent NULL dereference in async clear-fd code
X-Git-Tag: OpenSSL_1_1_1-pre1~501
X-Git-Url: https://git.openssl.org/gitweb/?a=commitdiff_plain;ds=sidebyside;h=f403feea11d1ea26fd5b7d9732361cfc3f9f91a9;p=openssl.git

Prevent NULL dereference in async clear-fd code

If the list of fds contains only (one or more) entries marked
as deleted prior to the entry currently being deleted, and the
entry currently being deleted was only just added, the 'prev'
pointer would never be updated from its initial NULL value, and
we would dereference NULL while trying to remove the entry from
the linked list.

Reported by Coverity.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)
---

diff --git a/crypto/async/async_wait.c b/crypto/async/async_wait.c
index e115985d22..a88c2dbb92 100644
--- a/crypto/async/async_wait.c
+++ b/crypto/async/async_wait.c
@@ -145,6 +145,7 @@ int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key)
     while (curr != NULL) {
         if (curr->del == 1) {
             /* This one has been marked deleted already so do nothing */
+            prev = curr;
             curr = curr->next;
             continue;
         }