autofs-5.1.1 - fix use-after-free in st_queue_handler()

From: Frank Sorenson <sorenson@redhat.com>

The task may be referenced after being freed.  Move the
free to after the list_del_init.

Signed-off-by: Frank Sorenson <sorenson@redhat.com>
Signed-off-by: Ian Kent <raven@themaw.net>
---
 CHANGELOG      |    1 +
 daemon/state.c |    2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 3f85c17..864d370 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -42,6 +42,7 @@
 - fix use after free in match_my_name().
 - improve scalability of direct mount path component.
 - always set direct mounts catatonic at exit.
+- fix use-after-free in st_queue_handler().
 
 21/04/2015 autofs-5.1.1
 =======================
diff --git a/daemon/state.c b/daemon/state.c
index 3ef8d95..ed533da 100644
--- a/daemon/state.c
+++ b/daemon/state.c
@@ -1182,9 +1182,9 @@ remove:
 							struct state_queue, pending);
 
 				list_del(&task->list);
+				list_del_init(&next->pending);
 				free(task);
 
-				list_del_init(&next->pending);
 				list_add_tail(&next->list, head);
 				if (p == head)
 					p = head->next;