Merge remote-tracking branch 'origin/fastpath'

* origin/fastpath: Fix use-after-free in some cases of reassigning a table index.
2025-10-06 16:48:19 +00:00 · 2014-06-10 18:16:51 -07:00 · 2014-06-10 18:16:51 -07:00 · ba229f798d
commit ba229f798d
parent c289a2743b e616554ab8
5 changed files with 36 additions and 4 deletions
--- a/5
+++ b/5
@ -1,4 +1,9 @@

+2.3-beta-20 | 2014-06-10 18:16:51 -0700
+
+  * Fix use-after-free in some cases of reassigning a table index.
+    Addresses BIT-1202. (Jon Siwek)
+
 2.3-beta-18 | 2014-06-06 13:11:50 -0700

  * Add two more SSL events, one triggered for each handshake message
--- a/2
+++ b/2
@ -1 +1 @@
-2.3-beta-18
+2.3-beta-20
--- a/src/Val.cc
+++ b/src/Val.cc
@ -1471,13 +1471,20 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 		}

 	TableEntryVal* new_entry_val = new TableEntryVal(new_val);
+	HashKey k_copy(k->Key(), k->Size(), k->Hash());
 	TableEntryVal* old_entry_val = AsNonConstTable()->Insert(k, new_entry_val);

+	// If the dictionary index already existed, the insert may free up the
+	// memory allocated to the key bytes, so have to assume k is invalid
+	// from here on out.
+	delete k;
+	k = 0;
+
 	if ( subnets )
 		{
 		if ( ! index )
 			{
-			Val* v = RecoverIndex(k);
+			Val* v = RecoverIndex(&k_copy);
 			subnets->Insert(v, new_entry_val);
 			Unref(v);
 			}
@ -1489,7 +1496,7 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 		{
 		Val* rec_index = 0;
 		if ( ! index )
-			index = rec_index = RecoverIndex(k);
+			index = rec_index = RecoverIndex(&k_copy);

 		if ( new_val )
 			{
@ -1547,7 +1554,6 @@ int TableVal::Assign(Val* index, HashKey* k, Val* new_val, Opcode op)
 	if ( old_entry_val && attrs && attrs->FindAttr(ATTR_EXPIRE_CREATE) )
 		new_entry_val->SetExpireAccess(old_entry_val->ExpireAccessTime());

-	delete k;
 	if ( old_entry_val )
 		{
 		old_entry_val->Unref();
--- a/testing/btest/Baseline/language.redef-same-prefixtable-idx/out
+++ b/testing/btest/Baseline/language.redef-same-prefixtable-idx/out
@ -0,0 +1,4 @@
+{
+[3.0.0.0/8] = 2.0.0.0/8
+}
+2.0.0.0/8
--- a/testing/btest/language/redef-same-prefixtable-idx.bro
+++ b/testing/btest/language/redef-same-prefixtable-idx.bro
@ -0,0 +1,17 @@
+# @TEST-EXEC: bro -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+const my_table: table[subnet] of subnet &redef;
+
+redef my_table[3.0.0.0/8] = 1.0.0.0/8;
+redef my_table[3.0.0.0/8] = 2.0.0.0/8;
+
+# The above is basically a shorthand for:
+# redef my_table += { [3.0.0.0/8] = 1.0.0.0/8 };
+# redef my_table += { [3.0.0.0/8] = 2.0.0.0/8 };
+
+event bro_init()
+	{
+	print my_table;
+	print my_table[3.0.0.0/8];
+	}