policy: fix looping through list while removing elements (rh #1175446)jk/vpn-secondaries-fix-rh1175446

When g_slist_remove() was called, iter2 became invalid and accessing it
could cause a crash. The same was true for iter.
Fix the problem by getting the next list item before an element removal.

See the similar fix in bluez
http://git.kernel.org/cgit/bluetooth/bluez.git/commit/?id=be8c5be809875ba449a10ca29f5244f0231f6b63

https://bugzilla.redhat.com/show_bug.cgi?id=1175446
https://bugzilla.redhat.com/show_bug.cgi?id=1277247

1 files changed, 7 insertions, 3 deletions

diff --git a/src/nm-policy.c b/src/nm-policy.c
index e186320d2e..3a4236faf5 100644
--- a/src/nm-policy.c
+++ b/src/nm-policy.c
@@ -752,17 +752,21 @@ process_secondaries (NMPolicy *policy,
                      gboolean connected)
 {
 	NMPolicyPrivate *priv = NM_POLICY_GET_PRIVATE (policy);
-	GSList *iter, *iter2;
+	GSList *iter, *iter2, *next, *next2;
 
 	/* Loop through devices waiting for secondary connections to activate */
-	for (iter = priv->pending_secondaries; iter; iter = g_slist_next (iter)) {
+	for (iter = priv->pending_secondaries; iter; iter = next) {
 		PendingSecondaryData *secondary_data = (PendingSecondaryData *) iter->data;
 		NMDevice *item_device = secondary_data->device;
 
+		next = g_slist_next (iter);
+
 		/* Look for 'active' in each device's secondary connections list */
-		for (iter2 = secondary_data->secondaries; iter2; iter2 = g_slist_next (iter2)) {
+		for (iter2 = secondary_data->secondaries; iter2; iter2 = next2) {
 			NMActiveConnection *secondary_active = NM_ACTIVE_CONNECTION (iter2->data);
 
+			next2 = g_slist_next (iter2);
+
 			if (active != secondary_active)
 				continue;