From ea7af1aad7288e6bd9b146f895b260eadd904ea8 Mon Sep 17 00:00:00 2001
From: Bernhard Reutner-Fischer <rep.dot.nop@gmail.com>
Date: Wed, 29 Oct 2008 13:34:35 +0000
Subject: - fix use after free (Kevin Day)   dl_cleanup will call do_dlclose
 with the handle.   Inside of do_dlclose, the handle will ultimately get
 free'd.

---
 ldso/libdl/libdl.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'ldso')

diff --git a/ldso/libdl/libdl.c b/ldso/libdl/libdl.c
index 10ccab68c..f914cf3be 100644
--- a/ldso/libdl/libdl.c
+++ b/ldso/libdl/libdl.c
@@ -146,9 +146,11 @@ static const char *dl_error_names[] = {
 void dl_cleanup(void) __attribute__ ((destructor));
 void dl_cleanup(void)
 {
-	struct dyn_elf *d;
-	for (d = _dl_handles; d; d = d->next_handle) {
-		do_dlclose(d, 1);
+	struct dyn_elf *h, *n;
+
+	for (h = _dl_handles; h; h = n) {
+		n = h->next_handle;
+		do_dlclose(h, 1);
 	}
 }
 
-- 
cgit v1.2.3