From: chenzhengyong chenzhengyong@uniontech.com
find_subkey() can crash when accessing a deleted subkey. When a key is deleted, its node may remain in the subkeys array but key->obj.name becomes NULL due to unlink_named_object(). This can happen when iterating over subkeys during rename or delete operations.
Signed-off-by: chenzhengyong chenzhengyong@uniontech.com --- server/registry.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/server/registry.c b/server/registry.c index 7cfefc7a6c3..954aaf712f4 100644 --- a/server/registry.c +++ b/server/registry.c @@ -297,6 +297,8 @@ static struct key *find_subkey( const struct key *key, const struct unicode_str while (min <= max) { i = (min + max) / 2; + if (key->subkeys[i]->flags & KEY_DELETED) + break; len = min( key->subkeys[i]->obj.name->len, name->len ); res = memicmp_strW( key->subkeys[i]->obj.name->name, name->str, len ); if (!res) res = key->subkeys[i]->obj.name->len - name->len;