Prevent NULL dereference in async clear-fd code

If the list of fds contains only (one or more) entries marked
as deleted prior to the entry currently being deleted, and the
entry currently being deleted was only just added, the 'prev'
pointer would never be updated from its initial NULL value, and
we would dereference NULL while trying to remove the entry from
the linked list.

Reported by Coverity.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/4602)

diff --git a/crypto/async/async_wait.c b/crypto/async/async_wait.c
index e115985d22565a246e8d6eb87a573870e40d7c1f..a88c2dbb9237c3655614af22f4fb470d882081b6 100644 (file)
--- a/crypto/async/async_wait.c
+++ b/crypto/async/async_wait.c
@@ -145,6 +145,7 @@ int ASYNC_WAIT_CTX_clear_fd(ASYNC_WAIT_CTX *ctx, const void *key)
     while (curr != NULL) {
         if (curr->del == 1) {
             /* This one has been marked deleted already so do nothing */
     while (curr != NULL) {
         if (curr->del == 1) {
             /* This one has been marked deleted already so do nothing */

+            prev = curr;

             curr = curr->next;
             continue;
         }
             curr = curr->next;
             continue;
         }