postgres/timescaledb
1
0
Fork 0
mirror of https://github.com/timescale/timescaledb.git synced 2025-05-22 13:40:56 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix use after free in cache

Browse Source 
When calling hash_search with HASH_REMOVE the returned pointer should not
be dereferenced because it returns a dangling pointer
This commit is contained in:
Dmitry Simonenko 2021-04-19 12:28:25 +03:00 committed by Dmitry Simonenko
parent c8535f91af
commit 16accae67d
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/cache.c
View File

@ -209,17 +209,20 @@ bool
ts_cache_remove(Cache *cache, void *key) ts_cache_remove(Cache *cache, void *key)
{ {
bool found; bool found;
void *entry;
entry = hash_search(cache->htab, key, HASH_REMOVE, &found); if (cache->remove_entry != NULL)
if (found)
{ {
if (cache->remove_entry != NULL) /* In case we want to free the removing entry we must do it beforehand
* because HASH_REMOVE call returns dangling pointer, which cannot be used */
void *entry = hash_search(cache->htab, key, HASH_FIND, &found);
if (found)
cache->remove_entry(entry); cache->remove_entry(entry);
cache->stats.numelements--;
} }
hash_search(cache->htab, key, HASH_REMOVE, &found);
if (found)
cache->stats.numelements--;
return found; return found;
} }