From 4a1b3289c7a8abc9858bfd1ac2ced35e8d20dd68 Mon Sep 17 00:00:00 2001
From: David Lamparter <equinox@opensourcerouting.org>
Date: Wed, 29 Sep 2021 20:45:34 +0200
Subject: [PATCH] lib: null out deleted pointers in typesafe containers

Some of the typesafe containers didn't null out their innards of items
after an item was deleted or popped off the container.  This is both a
bit unsafe as well as hinders the upcoming _member() from working
efficiently.

Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
---
 lib/typerb.c   | 2 ++
 lib/typesafe.h | 4 ++++
 2 files changed, 6 insertions(+)

diff --git a/lib/typerb.c b/lib/typerb.c
index 092faa4cc9..151d91ce20 100644
--- a/lib/typerb.c
+++ b/lib/typerb.c
@@ -45,6 +45,7 @@
 #include "config.h"
 #endif
 
+#include <string.h>
 #include "typerb.h"
 
 #define RB_BLACK	0
@@ -330,6 +331,7 @@ color:
 		rbe_remove_color(rbt, parent, child);
 
 	rbt->count--;
+	memset(old, 0, sizeof(*old));
 	return (old);
 }
 
diff --git a/lib/typesafe.h b/lib/typesafe.h
index ecac1a4381..6d6fcf282e 100644
--- a/lib/typesafe.h
+++ b/lib/typesafe.h
@@ -169,6 +169,7 @@ macro_inline type *prefix ## _del(struct prefix##_head *h, type *item)         \
 	*iter = item->field.si.next;                                           \
 	if (!item->field.si.next)                                              \
 		h->sh.last_next = iter;                                        \
+	item->field.si.next = NULL;                                            \
 	return item;                                                           \
 }                                                                              \
 macro_inline type *prefix ## _pop(struct prefix##_head *h)                     \
@@ -180,6 +181,7 @@ macro_inline type *prefix ## _pop(struct prefix##_head *h)                     \
 	h->sh.first = sitem->next;                                             \
 	if (h->sh.first == NULL)                                               \
 		h->sh.last_next = &h->sh.first;                                \
+	sitem->next = NULL;                                                    \
 	return container_of(sitem, type, field.si);                            \
 }                                                                              \
 macro_inline void prefix ## _swap_all(struct prefix##_head *a,                 \
@@ -321,6 +323,7 @@ macro_inline type *prefix ## _pop(struct prefix##_head *h)                     \
 	ditem->prev->next = ditem->next;                                       \
 	ditem->next->prev = ditem->prev;                                       \
 	h->dh.count--;                                                         \
+	ditem->prev = ditem->next = NULL;                                      \
 	return container_of(ditem, type, field.di);                            \
 }                                                                              \
 macro_inline void prefix ## _swap_all(struct prefix##_head *a,                 \
@@ -565,6 +568,7 @@ macro_inline type *prefix ## _del(struct prefix##_head *h, type *item)         \
 		return NULL;                                                   \
 	h->sh.count--;                                                         \
 	*iter = item->field.si.next;                                           \
+	item->field.si.next = NULL;                                            \
 	return item;                                                           \
 }                                                                              \
 macro_inline type *prefix ## _pop(struct prefix##_head *h)                     \
-- 
2.39.5