Hi, So any comments or questions on this report? Any reason there hasn't yet been a response?
To summarize: The current rpc code uses the 'next' pointer in a linked list element after after the element has been free()'d. The fix saves the value of the 'next' pointer and uses the saved value rather than a pointer to the (free()'d) 'next' pointer. Upstream cvs still has this bug, would it be helpful if I forwarded this upstream? -David