tevent: fix crash bug in tevent_queue_immediate_trigger()

Assume we we have a queue with 2 entries (A and B with triggerA() and triggerB()).
If triggerA() removes itself tevent_queue_entry_destructor() will be called
for A, this schedules the immediate event to call triggerB().
If triggerA() then also removes B by an explicit of implizit talloc_free(),
q->list is NULL, but the immediate event is still scheduled and can't be unscheduled.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 7fe5584e2a59584431cb2ddf8a4da22bfb924454)

Autobuild-User(v4-0-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-0-test): Tue Apr  1 11:33:36 CEST 2014 on sn-devel-104

diff --git a/lib/tevent/tevent_queue.c b/lib/tevent/tevent_queue.c
index eeb922fbbc80644421889e679420599b12bff2aa..e32468098d762512d8bf31672c3087924477c6fc 100644 (file)
--- a/lib/tevent/tevent_queue.c
+++ b/lib/tevent/tevent_queue.c
@@ -144,6 +144,10 @@ static void tevent_queue_immediate_trigger(struct tevent_context *ev,
                return;
        }
 
+       if (!q->list) {
+               return;
+       }
+
        q->list->triggered = true;
        q->list->trigger(q->list->req, q->list->private_data);
 }