The _hna_global_add function searches through the list of HNAs to check if there is already a hna for this orig pointer. Otherwise it is automatically allocated.
This was implemented by setting hna_orig_ptr to NULL after the comparison. This will most likely crash the program because the list_for_each_entry implementation uses hna_orig_ptr to find the next entry before doing the loop condition check. The next entry cannot be found by dereferencing NULL+epsilon.
Signed-off-by: Sven Eckelmann sven@narfation.org --- hna.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/hna.c b/hna.c index f0d64e1..0f28bfe 100644 --- a/hna.c +++ b/hna.c @@ -322,6 +322,7 @@ static void _hna_global_add(struct orig_node *orig_node, struct hna_element *hna struct hna_orig_ptr *hna_orig_ptr = NULL; struct orig_node *old_orig_node = NULL; struct hashtable_t *swaphash; + int found = 0;
hna_global_entry = ((struct hna_global_entry *)hash_find(hna_global_hash, hna_element));
@@ -354,14 +355,14 @@ static void _hna_global_add(struct orig_node *orig_node, struct hna_element *hna return;
list_for_each_entry(hna_orig_ptr, &hna_global_entry->orig_list, list) { - if (hna_orig_ptr->orig_node == orig_node) + if (hna_orig_ptr->orig_node == orig_node) { + found = 1; break; - - hna_orig_ptr = NULL; + } }
/* append the given orig node to the list */ - if (!hna_orig_ptr) { + if (!found) { hna_orig_ptr = debugMalloc(sizeof(struct hna_orig_ptr), 704);
if (!hna_orig_ptr)