From 7f4e47f0b3ff1ae686bafc03bfd17408337132fc Mon Sep 17 00:00:00 2001
From: Marko Lindqvist <cazfi74@gmail.com>
Date: Sat, 22 Apr 2023 13:36:29 +0300
Subject: [PATCH 46/46] Fix cargo_iter_next() out-of-bounds read

If cargo_iter_next() was called when iterator had already
reached the topmost transport in the end, it tried to look
for upper level transport.

Reported by alain_bkr

See osdn #47900

Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
---
 common/unit.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/unit.c b/common/unit.c
index 305af7ca3e..51ee0b1a60 100644
--- a/common/unit.c
+++ b/common/unit.c
@@ -2471,7 +2471,7 @@ static void cargo_iter_next(struct iterator *it)
     return;
   }
 
-  do {
+  while (iter->depth > 0) {
     /* Variant 2: there are other cargo units at same level. */
     pnext = unit_list_link_next(piter);
     if (NULL != pnext) {
@@ -2481,7 +2481,7 @@ static void cargo_iter_next(struct iterator *it)
 
     /* Variant 3: return to previous level, and do same tests. */
     piter = iter->links[iter->depth-- - 2];
-  } while (0 < iter->depth);
+  }
 }
 
 /**********************************************************************//**
-- 
2.39.2