From ed86dbc57e00173534ceeb325d209e8a11b0d569 Mon Sep 17 00:00:00 2001
From: Linus Nordberg <linus@nordberg.se>
Date: Fri, 16 Jan 2015 16:31:02 +0100
Subject: Fix use-after-free in hash_extract().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Patch by Stephen Röttger.
---
 hash.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'hash.c')

diff --git a/hash.c b/hash.c
index fd3c04b..19a5eba 100644
--- a/hash.c
+++ b/hash.c
@@ -92,6 +92,7 @@ void *hash_read(struct hash *h, void *key, uint32_t keylen) {
 void *hash_extract(struct hash *h, void *key, uint32_t keylen) {
     struct list_node *ln;
     struct hash_entry *e;
+    void *data;
 
     if (!h)
 	return 0;
@@ -101,9 +102,10 @@ void *hash_extract(struct hash *h, void *key, uint32_t keylen) {
 	if (e->keylen == keylen && !memcmp(e->key, key, keylen)) {
 	    free(e->key);
 	    list_removedata(h->hashlist, e);
+	    data = e->data;
 	    free(e);
 	    pthread_mutex_unlock(&h->mutex);
-	    return e->data;
+	    return data;
 	}
     }
     pthread_mutex_unlock(&h->mutex);
-- 
cgit v1.1