[DTrace-devel] [PATCH 20/23] proc: do not access freed memory when discarding shortlived handles

[Nick Alcock]

Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
Reviewed-by: Kris Van Hees <kris.van.hees at oracle.com>
---
 libdtrace/dt_proc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/libdtrace/dt_proc.c b/libdtrace/dt_proc.c
index e2861e01..9c9fc967 100644
--- a/libdtrace/dt_proc.c
+++ b/libdtrace/dt_proc.c
@@ -1853,15 +1853,18 @@ dt_proc_grab(dtrace_hdl_t *dtp, pid_t pid, int flags)
 	 * we know there is no control thread, so it is impossible for anything
 	 * to be holding a reference to it.
 	 */
-	for (dpr = dph->dph_hash[h]; dpr != NULL; dpr = dpr->dpr_hash) {
+	for (dpr = dph->dph_hash[h]; dpr != NULL;) {
 		if ((dpr->dpr_pid == pid) &&
 		    !(flags & DTRACE_PROC_SHORTLIVED) && !dpr->dpr_tid) {
 				dt_dprintf("pid %d (cached, but noninvasive) "
 				    "dropped.\n", (int)pid);
 
+				dt_proc_t *npr = dpr->dpr_hash;
+
 				dt_list_delete(&dph->dph_lrulist, dpr);
 				dt_proc_destroy(dtp, dpr);
 				dt_free(dtp, dpr);
+				dpr = npr;
 
 		} else if (dpr->dpr_pid == pid) {
 			dt_dprintf("grabbed pid %d (cached)\n", (int)pid);
@@ -1877,6 +1880,8 @@ dt_proc_grab(dtrace_hdl_t *dtp, pid_t pid, int flags)
 			}
 			return dpr;
 		}
+		else
+			dpr = dpr->dpr_hash;
 	}
 
 	/*
-- 
2.42.0