From 2a25e6518f6e2bd83dd4750bf023d332edef2063 Mon Sep 17 00:00:00 2001
From: Noriko Hosoi <nhosoi@redhat.com>
Date: Sun, 12 Sep 2010 19:23:14 -0700
Subject: agmtlist_shutdown (repl5_agmtlist.c) had an illegal access defect.

Object ro is freed in objset_next_obj and next object is returned
if any.  After ro is released, it was used to get agreement data.
This patch moves the location of objset_next_obj after the agreement
data is retrieved.
---
 ldap/servers/plugins/replication/repl5_agmtlist.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ldap/servers/plugins/replication/repl5_agmtlist.c b/ldap/servers/plugins/replication/repl5_agmtlist.c
index f9aa610d..00b44592 100644
--- a/ldap/servers/plugins/replication/repl5_agmtlist.c
+++ b/ldap/servers/plugins/replication/repl5_agmtlist.c
@@ -75,7 +75,7 @@ typedef struct agmt_wrapper {
 Repl_Agmt *
 agmtlist_get_by_agmt_name(const Slapi_DN *agmt_name)
 {
-	Repl_Agmt *ra;
+	Repl_Agmt *ra = NULL;
 	Object *ro;
 
 	for (ro = objset_first_obj(agmt_set); NULL != ro;
@@ -634,10 +634,12 @@ agmtlist_shutdown()
 	ro = objset_first_obj(agmt_set);
 	while (NULL != ro)
 	{
-		next_ro = objset_next_obj(agmt_set, ro);
 		ra = (Repl_Agmt *)object_get_data(ro);
 		agmt_stop(ra);
-        agmt_update_consumer_ruv (ra);
+		agmt_update_consumer_ruv (ra);
+		next_ro = objset_next_obj(agmt_set, ro);
+		/* Object ro was released in objset_next_obj, 
+		 * but the address ro can be still used to remove ro from objset. */
 		objset_remove_obj(agmt_set, ro);
 		ro = next_ro;
 	}
-- 
cgit