URL: https://github.com/SSSD/sssd/pull/968 Author: alexey-tikhonov Title: #968: util/sss_ptr_hash: fixed double free in sss_ptr_hash_delete_cb() Action: opened
PR body: """ Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead to freeing of value->ptr and thus to destruction of value->spy that is attached to value->ptr. In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() -> hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive execution hash entry was actually deleted and value was freed. When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried to free value again => double free.
To prevent this bug value and hence spy are now freed before execution of data->callback(value->ptr).
Resolves: https://pagure.io/SSSD/sssd/issue/4135 """
To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/968/head:pr968 git checkout pr968