From 30dd885d1fc3013be0e3c2a45b2e0117f684f40a Mon Sep 17 00:00:00 2001 From: Adam Chlipala Date: Thu, 19 Nov 2015 13:18:58 -0500 Subject: Fix a read-after-free bug using a timestamp check --- src/c/urweb.c | 9 ++++++--- src/lru_cache.sml | 4 +--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/c/urweb.c b/src/c/urweb.c index 945a6890..093a5294 100644 --- a/src/c/urweb.c +++ b/src/c/urweb.c @@ -4720,9 +4720,11 @@ static void uw_Sqlcache_storeCommitOne(uw_Sqlcache_Cache *cache, char **keys, uw } free(key); } - uw_Sqlcache_freeValue(entry->value); - entry->value = value; - entry->value->timeValid = timeNow; + if (entry->value && entry->value->timeValid < value->timeValid) { + uw_Sqlcache_freeValue(entry->value); + entry->value = value; + entry->value->timeValid = timeNow; + } pthread_rwlock_unlock(&cache->lockIn); } @@ -4807,6 +4809,7 @@ void uw_Sqlcache_store(uw_context ctx, uw_Sqlcache_Cache *cache, char **keys, uw update->keys = uw_Sqlcache_copyKeys(keys, cache->numKeys); update->value = value; update->next = NULL; + value->timeValid = uw_Sqlcache_getTimeNow(cache); if (ctx->cacheUpdateTail) { ctx->cacheUpdateTail->next = update; } else { diff --git a/src/lru_cache.sml b/src/lru_cache.sml index 5c05b261..851b4ccb 100644 --- a/src/lru_cache.sml +++ b/src/lru_cache.sml @@ -136,14 +136,12 @@ fun setupQuery {index, params} = newline, string (" char *ks[] = {" ^ revArgs ^ "};"), newline, - string (" uw_Sqlcache_Value *v = calloc(1, sizeof(uw_Sqlcache_Value));"), + string (" uw_Sqlcache_Value *v = malloc(sizeof(uw_Sqlcache_Value));"), newline, string " v->result = strdup(s);", newline, string " v->output = uw_recordingRead(ctx);", newline, - string " v->timeValid = 0;", - newline, (*string (" puts(\"SQLCACHE: stored " ^ i ^ ".\");"), newline,*) string (" uw_Sqlcache_store(ctx, cache" ^ i ^ ", ks, v);"), -- cgit v1.2.3