sd-journal: fix use-after-free

As commented in the code, we need to replace the pointer to the key,
hence, hashmap_replace() must be used, instead of hashmap_update().

Fixes #27459.

diff --git a/src/libsystemd/sd-journal/sd-journal.c b/src/libsystemd/sd-journal/sd-journal.c
index b0194e875c9880c2ba4b10e508468be0724536b8..d5561c9a46b82de05d5a9aced6c4bf7992109a78 100644 (file)
--- a/src/libsystemd/sd-journal/sd-journal.c
+++ b/src/libsystemd/sd-journal/sd-journal.c
@@ -2304,7 +2304,7 @@ static void journal_file_unlink_newest_by_bood_id(sd_journal *j, JournalFile *f)
                 /* There's still a member in the prioq? Then make sure the hashmap key now points to its
                  * .newest_boot_id field (and not ours!). Not we only replace the memory of the key here, the
                  * value of the key (and the data associated with it) remain the same. */
-                assert_se(hashmap_update(j->newest_by_boot_id, &nf->newest_boot_id, p) >= 0);
+                assert_se(hashmap_replace(j->newest_by_boot_id, &nf->newest_boot_id, p) >= 0);
         else {
                 assert_se(hashmap_remove(j->newest_by_boot_id, &f->newest_boot_id) == p);
                 prioq_free(p);