From b9da3d93207e46de895fd07cfe9de1edfa79efef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ji=C5=99=C3=AD=20Klime=C5=A1?= <jklimes@redhat.com>
Date: Wed, 4 Nov 2015 15:48:28 +0100
Subject: [PATCH] policy: fix looping through list while removing elements (rh
 #1175446)

When g_slist_remove() was called, iter2 became invalid and accessing it
could cause a crash. The same was true for iter.
Fix the problem by getting the next list item before an element removal.

See a similar fix in bluez
http://git.kernel.org/cgit/bluetooth/bluez.git/commit/?id=be8c5be809875ba449a10ca29f5244f0231f6b63

https://bugzilla.redhat.com/show_bug.cgi?id=1175446
https://bugzilla.redhat.com/show_bug.cgi?id=1277247
---
 src/nm-policy.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/nm-policy.c b/src/nm-policy.c
index e186320d2..3a4236faf 100644
--- a/src/nm-policy.c
+++ b/src/nm-policy.c
@@ -752,17 +752,21 @@ process_secondaries (NMPolicy *policy,
                      gboolean connected)
 {
 	NMPolicyPrivate *priv = NM_POLICY_GET_PRIVATE (policy);
-	GSList *iter, *iter2;
+	GSList *iter, *iter2, *next, *next2;
 
 	/* Loop through devices waiting for secondary connections to activate */
-	for (iter = priv->pending_secondaries; iter; iter = g_slist_next (iter)) {
+	for (iter = priv->pending_secondaries; iter; iter = next) {
 		PendingSecondaryData *secondary_data = (PendingSecondaryData *) iter->data;
 		NMDevice *item_device = secondary_data->device;
 
+		next = g_slist_next (iter);
+
 		/* Look for 'active' in each device's secondary connections list */
-		for (iter2 = secondary_data->secondaries; iter2; iter2 = g_slist_next (iter2)) {
+		for (iter2 = secondary_data->secondaries; iter2; iter2 = next2) {
 			NMActiveConnection *secondary_active = NM_ACTIVE_CONNECTION (iter2->data);
 
+			next2 = g_slist_next (iter2);
+
 			if (active != secondary_active)
 				continue;