From 75f39c9fb438e87f14fa8068af565e07e4e5b87f Mon Sep 17 00:00:00 2001 From: bluhm Date: Tue, 6 Jan 2015 23:11:23 +0000 Subject: [PATCH] Backout revision 1.37. Setting ev->ev_pncalls to NULL results in a use after free if the callback has freed the ev. With F in malloc.conf both tmux and the regression tests triggered a segmentation fault. OK nicm@ --- lib/libevent/event.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/libevent/event.c b/lib/libevent/event.c index 57dc365f8d1..61e77b721eb 100644 --- a/lib/libevent/event.c +++ b/lib/libevent/event.c @@ -1,4 +1,4 @@ -/* $OpenBSD: event.c,v 1.37 2015/01/06 11:27:35 bluhm Exp $ */ +/* $OpenBSD: event.c,v 1.38 2015/01/06 23:11:23 bluhm Exp $ */ /* * Copyright (c) 2000-2004 Niels Provos @@ -348,12 +348,9 @@ event_process_active(struct event_base *base) ncalls--; ev->ev_ncalls = ncalls; (*ev->ev_callback)((int)ev->ev_fd, ev->ev_res, ev->ev_arg); - if (event_gotsig || base->event_break) { - ev->ev_pncalls = NULL; + if (event_gotsig || base->event_break) return; - } } - ev->ev_pncalls = NULL; } } -- 2.20.1