Hey there,

Turns out that when inserting items in xhash, the code stores a pointer to
the key passed in by the user in the xhash node and uses that later to
compare in _get. The problem is that it breaks scenarios where the user may
use a temp buffer to build the key, then insert or put it in the xhash
and then free the buffer memory. Assumption here is that xhash code
would allocate necessary buffer to store internal data and not rely on
user supplied memory to maintain it=A9=F6s internal data structures.

In the example above, the put succeeds, user frees the memory, so its
Pointing to garbage and a later a call to _get can't find the entry
because the keys mismatch, i.e., a user supplied valid string key and
NULL memory that the xhash node points to.

Any ideas if there was a particular reason this was designed this way? I
imagine, in most of the cases the key is inside the object being stored
so it works out. However, as you can see, the xhash implementation
canĀ¹t be fully exploited/used.

It would be trivial, I would imagine, to make a copy of the key and
store that instead of just the pointer to user supplied memory. On
removal in zap_internal, the memory would be freed.

Thoughts? Concerns? Let me know :)

Shawn



Reply via email to