From 779ad6641b9a6443eaec75439b3374b1a7b8794c Mon Sep 17 00:00:00 2001 From: Mike Hommey Date: Sun, 25 Aug 2019 14:18:18 +0900 Subject: notes: avoid leaking duplicate entries When add_note is called multiple times with the same key/value pair, the leaf_node it creates is leaked by notes_tree_insert. Signed-off-by: Mike Hommey Signed-off-by: Junio C Hamano --- notes.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'notes.c') diff --git a/notes.c b/notes.c index 532ec37865..3130add618 100644 --- a/notes.c +++ b/notes.c @@ -269,8 +269,10 @@ static int note_tree_insert(struct notes_tree *t, struct int_node *tree, case PTR_TYPE_NOTE: if (oideq(&l->key_oid, &entry->key_oid)) { /* skip concatenation if l == entry */ - if (oideq(&l->val_oid, &entry->val_oid)) + if (oideq(&l->val_oid, &entry->val_oid)) { + free(entry); return 0; + } ret = combine_notes(&l->val_oid, &entry->val_oid); -- cgit v1.2.3 From 60fe477a0be2a3801e5ce3913e0be8e8e2e58e4f Mon Sep 17 00:00:00 2001 From: Jeff King Date: Sun, 25 Aug 2019 03:19:51 -0400 Subject: notes: avoid potential use-after-free during insertion The note_tree_insert() function may free the leaf_node struct we pass in (e.g., if it's a duplicate, or if it needs to be combined with an existing note). Most callers are happy with this, as they assume that ownership of the struct is handed off. But in load_subtree(), if we see an error we'll use the handed-off struct's key_oid to generate the die() message, potentially accessing freed memory. We can easily fix this by instead using the original oid that we copied into the leaf_node struct. Signed-off-by: Jeff King Signed-off-by: Junio C Hamano --- notes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'notes.c') diff --git a/notes.c b/notes.c index 3130add618..9533a14a13 100644 --- a/notes.c +++ b/notes.c @@ -460,7 +460,7 @@ static void load_subtree(struct notes_tree *t, struct leaf_node *subtree, die("Failed to load %s %s into notes tree " "from %s", type == PTR_TYPE_NOTE ? "note" : "subtree", - oid_to_hex(&l->key_oid), t->ref); + oid_to_hex(&object_oid), t->ref); continue; -- cgit v1.2.3