Fix use-after-free in hash implementation.

If a value is added to the hash under a key that already exists the new value
replaces the old value for that key. Since key can be a pointer to data that
is part of value and freed by hash->free_value(), the key must be also
replaced and not only the value. Otherwise key potentially points to freed data.

diff --git a/libkmod/libkmod-hash.c b/libkmod/libkmod-hash.c
index c751d2d..eb7afb7 100644 (file)
--- a/libkmod/libkmod-hash.c
+++ b/libkmod/libkmod-hash.c
@@ -169,6 +169,7 @@ int hash_add(struct hash *hash, const char *key, const void *value)
                if (c == 0) {
                        if (hash->free_value)
                                hash->free_value((void *)entry->value);
+                       entry->key = key;
                        entry->value = value;
                        return 0;
                } else if (c < 0) {