diff options
| author | Lukas Anzinger <lukas@lukasanzinger.at> | 2014-05-18 18:40:19 +0200 |
|---|---|---|
| committer | Lucas De Marchi <lucas.demarchi@intel.com> | 2014-05-18 16:04:50 -0300 |
| commit | 86e19e9acd62e5729fa66e850fd13df991ae7fca (patch) | |
| tree | 77b1e642a7ffbcc1d825cee13ffcdf975c838536 | |
| parent | 30bfd48aeffa6465d2de0e927cdfc6205c1f1fd2 (diff) | |
| download | kmod-86e19e9acd62e5729fa66e850fd13df991ae7fca.tar.gz kmod-86e19e9acd62e5729fa66e850fd13df991ae7fca.tar.bz2 kmod-86e19e9acd62e5729fa66e850fd13df991ae7fca.zip | |
Fix use-after-free in hash implementation.
If a value is added to the hash under a key that already exists the new value
replaces the old value for that key. Since key can be a pointer to data that
is part of value and freed by hash->free_value(), the key must be also
replaced and not only the value. Otherwise key potentially points to freed data.
| -rw-r--r-- | libkmod/libkmod-hash.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/libkmod/libkmod-hash.c b/libkmod/libkmod-hash.c index c751d2d..eb7afb7 100644 --- a/libkmod/libkmod-hash.c +++ b/libkmod/libkmod-hash.c @@ -169,6 +169,7 @@ int hash_add(struct hash *hash, const char *key, const void *value) if (c == 0) { if (hash->free_value) hash->free_value((void *)entry->value); + entry->key = key; entry->value = value; return 0; } else if (c < 0) { |