Resolve segfault when a new hashtable node is allocated. #20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Around line 117, `n->flag` is checked and if true `n->u.key` and `n->val` are freed. If `n` is uninitialized data, `n->flag` may sometimes be true, and under that circumstance a segfault occurs during `free(n->u.key)` or `free(n->val)`.
|
Awesome, great catch, thank you! 😎👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
libmdnsd/xht.c, at line 110, if a candidate node is not found, a new one is allocated.Around line 116, if
n->flagis true thenn->u.keyandn->valare freed. However, since the memory allocated at line 110 was not initialized,nmay contain any kind of data, which may unpredictably causen->flagto have a nonzero value. When it does, a segfault occurs duringfree(n->u.key)orfree(n->val).Valgrind detects this issue as a conditional jump based on an uninitialized value. (Note that because the initial elements of the
xht_t.zenmember are zeroed during allocation viacalloc, a hash collision must be created before this behavior can be witnessed. With aprimevalue of11, hash keys"server"and"version9"produce the necessary collision. Of course, while this is enough to detect the issue under valgrind, it is not enough to actually trigger the segfault every time because that depends on the random bits in the memory that was allocated.)This pull request resolves the issue by zeroing
nafter its memory is allocated.