From 0a1fa90d723d085bc869bc423619e1a8ee421fd0 Mon Sep 17 00:00:00 2001 From: Linus Nordberg Date: Fri, 16 Jan 2015 16:31:02 +0100 Subject: Fix use-after-free in hash_extract(). MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Patch by Stephen Röttger. --- AUTHORS | 1 + hash.c | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/AUTHORS b/AUTHORS index de1e005..0e0436a 100644 --- a/AUTHORS +++ b/AUTHORS @@ -22,4 +22,5 @@ Ralf Paffrath Simon Leinen Simon Lundström Stefan Winter +Stephen Röttger Stig Venaas diff --git a/hash.c b/hash.c index ab17433..19d6c18 100644 --- a/hash.c +++ b/hash.c @@ -87,6 +87,7 @@ void *hash_read(struct hash *h, void *key, uint32_t keylen) { void *hash_extract(struct hash *h, void *key, uint32_t keylen) { struct list_node *ln; struct hash_entry *e; + void *data; if (!h) return 0; @@ -96,9 +97,10 @@ void *hash_extract(struct hash *h, void *key, uint32_t keylen) { if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { free(e->key); list_removedata(h->hashlist, e); + data = e->data; free(e); pthread_mutex_unlock(&h->mutex); - return e->data; + return data; } } pthread_mutex_unlock(&h->mutex); -- cgit v1.1