From 15bde7dab466fc4f2719ce709de9dac7e1e10de8 Mon Sep 17 00:00:00 2001
From: Alexey Tikhonov <atikhono@redhat.com>
Date: Jan 06 2019 19:12:55 +0000
Subject: util/tev_curl: Fix double free error in schedule_fd_processing()


Prevents deletion of already executed timer.

libcurl calls schedule_fd_processing every time it wants to have (new)
timer setup. And it happens quite a lot of times.

Being called schedule_fd_processing wants to delete previous timer before
creating new one. That's basically proper action. The problem is it sometimes
tries to delete non-existent (already executed and deleted by libtevent)
timer. This is "double free" case.

Proposed patch sets timer pointer in tcurl_ctx to NULL at the end of timer
handler (actually can be placed anywhere in the handler: handler called =>
timer deleted by libtevent). That prevents schedule_fd_processing from
freeing already freed memory. And I think it is good idea overall to not
have pointers to freed memory (dangling pointers). This should be safe
operation since all processes are single-thread proces

Resolves:
https://pagure.io/SSSD/sssd/issue/3917

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

diff --git a/src/util/tev_curl.c b/src/util/tev_curl.c
index d70a429..ebbcefc 100644
--- a/src/util/tev_curl.c
+++ b/src/util/tev_curl.c
@@ -414,6 +414,7 @@ static void check_fd_activity(struct tevent_context *ev,
 {
     struct tcurl_ctx *tctx = talloc_get_type(private_data, struct tcurl_ctx);
     check_curl_timeouts(tctx);
+    tctx->process_timer = NULL;
 }
 
 static int schedule_fd_processing(CURLM *multi,