From: Martin Wilck <martin_wilck@gmx.de>
Date: Fri, 15 Nov 2024 22:24:30 +0000 (+0100)
Subject: libkmod: hash_del: fix out-of-bounds memory access
X-Git-Tag: v34~47
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eac0a4a6ab196f3639f6f1db955edcb6e5bb8473;p=thirdparty%2Fkmod.git

libkmod: hash_del: fix out-of-bounds memory access

Assume bucket->used is 1, and element 0 is deleted. We shouldn't access any
memory above (entry + 1) in this case. Likewise, if bucked->used is 2, only
one element should be shifted, etc.

Fixes: 7db0865 ("Add simple hash implementation")
Signed-off-by: Martin Wilck <martin_wilck@gmx.de>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Link: https://github.com/kmod-project/kmod/pull/257
Signed-off-by: Lucas De Marchi <lucas.de.marchi@gmail.com>
---

diff --git a/shared/hash.c b/shared/hash.c
index 38b7bb30..158d85d9 100644
--- a/shared/hash.c
+++ b/shared/hash.c
@@ -258,7 +258,7 @@ int hash_del(struct hash *hash, const char *key)
 		hash->free_value((void *)entry->value);
 
 	entry_end = bucket->entries + bucket->used;
-	memmove(entry, entry + 1, (entry_end - entry) * sizeof(struct hash_entry));
+	memmove(entry, entry + 1, (entry_end - entry - 1) * sizeof(struct hash_entry));
 
 	bucket->used--;
 	hash->count--;
diff --git a/testsuite/test-hash.c b/testsuite/test-hash.c
index 1ec820d1..b115a623 100644
--- a/testsuite/test-hash.c
+++ b/testsuite/test-hash.c
@@ -184,8 +184,7 @@ static int test_hash_del(const struct test *t)
 
 	return 0;
 }
-DEFINE_TEST(test_hash_del, .description = "test add / delete a single element",
-	    .expected_fail = true);
+DEFINE_TEST(test_hash_del, .description = "test add / delete a single element");
 
 static int test_hash_free(const struct test *t)
 {