local_sock: fix accept use-after-free

we should get next waiter before acceptor released

Signed-off-by: fangzhenwei <fangzhenwei@xiaomi.com>

include/nuttx/queue.h

@@ -170,6 +170,9 @@
   for((p) = (q)->head, (tmp) = (p) ? (p)->flink : NULL; \
       (p) != NULL; (p) = (tmp), (tmp) = (p) ? (p)->flink : NULL)
 
+#define dq_for_every(q, p) sq_for_every(q, p)
+#define dq_for_every_safe(q, p, tmp) sq_for_every_safe(q, p, tmp)
+
 #define sq_rem(p, q) \
   do \
     { \

net/local/local_release.c

@@ -73,14 +73,13 @@ int local_release(FAR struct local_conn_s *conn)
     {
       FAR struct local_conn_s *accept;
       FAR dq_entry_t *waiter;
+      FAR dq_entry_t *tmp;
 
       DEBUGASSERT(conn->lc_proto == SOCK_STREAM);
 
       /* Are there still clients waiting for a connection to the server? */
 
-      for (waiter = dq_peek(&conn->u.server.lc_waiters);
+      dq_for_every_safe(&conn->u.server.lc_waiters, waiter, tmp)
-           waiter != NULL;
-           waiter = dq_next(&accept->u.accept.lc_waiter))
         {
           accept = container_of(waiter, struct local_conn_s,
                                 u.accept.lc_waiter);