[support] memory corruption bug in hai_copy()?

[Vilmos Nebehaj]

Dear all,

please find attached a patch that is supposed to fix a memory
corruption bug in hai_copy().  It seems hai_copy() copies struct
mn_addrs from the list conf_hai->mcoa to hai->mcoa with
prefix_list_copy().  I introduced a new function, mnaddr_list_copy(),
to do that correctly.

In our test environment (UMIP-0.4 + NEMO-MCoA, multihoming MR) this
now works great.  I also checked with valgrind and it seems no memory
corruption happens anymore.

Can anyone confirm the patch does the rigth thing?  The line numbers
may be incorrect since we have other patches applied and some other
pending fixes as well.

Regards,
Vilmos
-------------- next part --------------
Index: src/mn.c
===================================================================
--- src/mn.c	(revision 2939)
+++ src/mn.c	(revision 2940)
@@ -2069,6 +2069,29 @@
 	return -1;
 }
 
+static int mnaddr_list_copy(const struct list_head *l1, struct list_head *l2)
+{
+	struct list_head *l, *n;
+	struct mn_addr *mn1, *mn2;
+
+	list_for_each(l, l1) {
+		mn1 = list_entry(l, struct mn_addr, list);
+		mn2 = malloc(sizeof(struct mn_addr));
+		if (mn2 == NULL)
+			goto undo;
+		memcpy(mn2, mn1, sizeof(struct mn_addr));
+		list_add_tail(&mn2->list, l2);
+	}
+	return 0;
+undo:
+	list_for_each_safe(l, n, l2) {
+		list_del(l);
+		mn2 = list_entry(l, struct mn_addr, list);
+		free(mn2);
+	}
+	return -1;
+}
+
 static struct home_addr_info *hai_copy(struct home_addr_info *conf_hai)
 {
 	struct home_addr_info *hai = malloc(sizeof(struct home_addr_info));
@@ -2091,7 +2114,7 @@
 
 		INIT_LIST_HEAD(&hai->mcoa);
 		if (hai->reg_mcoa && 
-		    prefix_list_copy(&conf_hai->mcoa, &hai->mcoa) < 0)
+		    mnaddr_list_copy(&conf_hai->mcoa, &hai->mcoa) < 0)
 			goto mutex_undo;
 
 		INIT_LIST_HEAD(&hai->ro_policies);