[PATCH v2 0/1] MR9247: server: avoid crash on deleted registry subkeys in find_subkey
find_subkey() can crash when accessing a deleted subkey. When a key is deleted, its node may remain in the subkeys array but key->obj.name becomes NULL due to unlink_named_object(). This can happen when iterating over subkeys during rename or delete operations. Signed-off-by: chenzhengyong <chenzhengyong(a)uniontech.com> -- v2: server: Fix incorrect key modification in rename_key function https://gitlab.winehq.org/wine/wine/-/merge_requests/9247
From: chenzhengyong <chenzhengyong(a)uniontech.com> When `index == cur_index + 1`, the modification logic incorrectly altered the value of the subkey following the current key, leading to unintended changes in other keys. Signed-off-by: chenzhengyong <chenzhengyong(a)uniontech.com> --- server/registry.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/registry.c b/server/registry.c index 7cfefc7a6c3..bb7897ef731 100644 --- a/server/registry.c +++ b/server/registry.c @@ -1038,7 +1038,7 @@ static void rename_key( struct key *key, const struct unicode_str *new_name ) for (cur_index = 0; cur_index <= parent->last_subkey; cur_index++) if (parent->subkeys[cur_index] == key) break; - if (cur_index < index && (index - cur_index) > 1) + if (cur_index < index) { --index; for (i = cur_index; i < index; ++i) parent->subkeys[i] = parent->subkeys[i+1]; -- GitLab https://gitlab.winehq.org/wine/wine/-/merge_requests/9247
If we have subkeys **`[A, B, C, D]`** where: * **`B`** is at **`cur_index = 1`** * If renaming B to BB, after find_subkey, **`index = 2`** * After rename_key, will get \[A, BB, BB, D\] -- https://gitlab.winehq.org/wine/wine/-/merge_requests/9247#note_119551
participants (2)
-
chenzhengyong -
zhengyong chen (@chenzhengyong)