[td-225] fix invalid read in taocache

4be7a595 · Haojun Liao · cf840735 · 4be7a595 · 4be7a595 · 4be7a595
隐藏空白更改
内联并排

Showing with 7 addition and 8 deletion

src/util/inc/tcache.h src/util/inc/tcache.h +1 -1

src/util/src/hash.c src/util/src/hash.c +1 -3

src/util/src/tcache.c src/util/src/tcache.c +5 -4

未找到文件。
--- a/src/util/inc/tcache.h
+++ b/src/util/inc/tcache.h
@@ -47,7 +47,7 @@ typedef struct SCacheDataNode {
 typedef struct STrashElem {
  struct STrashElem *prev;
  struct STrashElem *next;
-  SCacheDataNode *        pData;
+  SCacheDataNode    *pData;
 } STrashElem;

 typedef struct {

--- a/src/util/src/hash.c
+++ b/src/util/src/hash.c
@@ -529,7 +529,7 @@ void taosHashTableResize(SHashObj *pHashObj) {
 }

 SHashNode *doCreateHashNode(const void *key, size_t keyLen, const void *pData, size_t dsize, uint32_t hashVal) {
-  size_t totalSize = dsize + sizeof(SHashNode) + keyLen + 1;  // one extra byte for null
+  size_t totalSize = dsize + sizeof(SHashNode) + keyLen;
  
  SHashNode *pNewNode = calloc(1, totalSize);
  if (pNewNode == NULL) {
@@ -544,7 +544,6 @@ SHashNode *doCreateHashNode(const void *key, size_t keyLen, const void *pData, s
  pNewNode->keyLen = keyLen;
  
  pNewNode->hashVal = hashVal;
-  
  return pNewNode;
 }

@@ -559,7 +558,6 @@ SHashNode *doUpdateHashNode(SHashNode *pNode, const void *key, size_t keyLen, co
  memcpy(pNewNode->data, pData, dsize);
  
  pNewNode->key = pNewNode->data + dsize;
-  
  assert(memcmp(pNewNode->key, key, keyLen) == 0 && keyLen == pNewNode->keyLen);
  
  memcpy(pNewNode->key, key, keyLen);

--- a/src/util/src/tcache.c
+++ b/src/util/src/tcache.c
@@ -77,7 +77,7 @@ static FORCE_INLINE void taosFreeNode(void *data) {
 * @param lifespan total survial expiredTime from now
 * @return         SCacheDataNode
 */
-static SCacheDataNode *taosCreateHashNode(const char *key, size_t keyLen, const char *pData, size_t size,
+static SCacheDataNode *taosCreateCacheNode(const char *key, size_t keyLen, const char *pData, size_t size,
                                          uint64_t duration) {
  size_t totalSize = size + sizeof(SCacheDataNode) + keyLen + 1;
  
@@ -242,13 +242,14 @@ static SCacheDataNode *taosUpdateCacheImpl(SCacheObj *pCacheObj, SCacheDataNode
  
  // only a node is not referenced by any other object, in-place update it
  if (T_REF_VAL_GET(pNode) == 0) {
-    size_t newSize = sizeof(SCacheDataNode) + dataSize + keyLen;
+    size_t newSize = sizeof(SCacheDataNode) + dataSize + keyLen + 1;
    
    pNewNode = (SCacheDataNode *)realloc(pNode, newSize);
    if (pNewNode == NULL) {
      return NULL;
    }
    
+    memset(pNewNode, 0, newSize);
    pNewNode->signature = (uint64_t)pNewNode;
    memcpy(pNewNode->data, pData, dataSize);
    
@@ -267,7 +268,7 @@ static SCacheDataNode *taosUpdateCacheImpl(SCacheObj *pCacheObj, SCacheDataNode
  } else {
    taosCacheMoveToTrash(pCacheObj, pNode);
    
-    pNewNode = taosCreateHashNode(key, keyLen, pData, dataSize, duration);
+    pNewNode = taosCreateCacheNode(key, keyLen, pData, dataSize, duration);
    if (pNewNode == NULL) {
      return NULL;
    }
@@ -293,7 +294,7 @@ static SCacheDataNode *taosUpdateCacheImpl(SCacheObj *pCacheObj, SCacheDataNode
 */
 static FORCE_INLINE SCacheDataNode *taosAddToCacheImpl(SCacheObj *pCacheObj, const char *key, size_t keyLen, const void *pData,
                                                       size_t dataSize, uint64_t duration) {
-  SCacheDataNode *pNode = taosCreateHashNode(key, keyLen, pData, dataSize, duration);
+  SCacheDataNode *pNode = taosCreateCacheNode(key, keyLen, pData, dataSize, duration);
  if (pNode == NULL) {
    return NULL;
  }