postgres/timescaledb
1
0
Fork 0
mirror of https://github.com/timescale/timescaledb.git synced 2025-05-22 22:11:29 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix use after free in cache

Browse Source 
When calling hash_search with HASH_REMOVE the returned pointer should not
be dereferenced because it returns a dangling pointer
This commit is contained in:
Dmitry Simonenko 2021-04-19 12:28:25 +03:00 committed by Dmitry Simonenko
parent c8535f91af
commit 16accae67d
1 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/cache.c
View File

@ -209,17 +209,20 @@ bool
ts_cache_remove(Cache *cache, void *key)
{
bool found;
void *entry;
entry = hash_search(cache->htab, key, HASH_REMOVE, &found);
if (found)
if (cache->remove_entry != NULL)
{
if (cache->remove_entry != NULL)
/* In case we want to free the removing entry we must do it beforehand
* because HASH_REMOVE call returns dangling pointer, which cannot be used */
void *entry = hash_search(cache->htab, key, HASH_FIND, &found);
if (found)
cache->remove_entry(entry);
cache->stats.numelements--;
}
hash_search(cache->htab, key, HASH_REMOVE, &found);
if (found)
cache->stats.numelements--;
return found;
}