changeset 2297:6d56080f495c

Fix a read-after-free bug using a timestamp check
author Adam Chlipala <adam@chlipala.net>
date Thu, 19 Nov 2015 13:18:58 -0500 (2015-11-19)
parents 5104e480b3e3
children 6e580e319077
files src/c/urweb.c src/lru_cache.sml
diffstat 2 files changed, 7 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/src/c/urweb.c	Thu Nov 19 10:31:47 2015 -0500
+++ b/src/c/urweb.c	Thu Nov 19 13:18:58 2015 -0500
@@ -4720,9 +4720,11 @@
     }
     free(key);
   }
-  uw_Sqlcache_freeValue(entry->value);
-  entry->value = value;
-  entry->value->timeValid = timeNow;
+  if (entry->value && entry->value->timeValid < value->timeValid) {
+    uw_Sqlcache_freeValue(entry->value);
+    entry->value = value;
+    entry->value->timeValid = timeNow;
+  }
   pthread_rwlock_unlock(&cache->lockIn);
 }
 
@@ -4807,6 +4809,7 @@
   update->keys = uw_Sqlcache_copyKeys(keys, cache->numKeys);
   update->value = value;
   update->next = NULL;
+  value->timeValid = uw_Sqlcache_getTimeNow(cache);
   if (ctx->cacheUpdateTail) {
     ctx->cacheUpdateTail->next = update;
   } else {
--- a/src/lru_cache.sml	Thu Nov 19 10:31:47 2015 -0500
+++ b/src/lru_cache.sml	Thu Nov 19 13:18:58 2015 -0500
@@ -136,14 +136,12 @@
              newline,
              string ("  char *ks[] = {" ^ revArgs ^ "};"),
              newline,
-             string ("  uw_Sqlcache_Value *v = calloc(1, sizeof(uw_Sqlcache_Value));"),
+             string ("  uw_Sqlcache_Value *v = malloc(sizeof(uw_Sqlcache_Value));"),
              newline,
              string "  v->result = strdup(s);",
              newline,
              string "  v->output = uw_recordingRead(ctx);",
              newline,
-             string "  v->timeValid = 0;",
-             newline,
              (*string ("  puts(\"SQLCACHE: stored " ^ i ^ ".\");"),
              newline,*)
              string ("  uw_Sqlcache_store(ctx, cache" ^ i ^ ", ks, v);"),