find_subkey() can crash when accessing a deleted subkey. When a key is deleted, its node may remain in the subkeys array but key->obj.name becomes NULL due to unlink_named_object(). This can happen when iterating over subkeys during rename or delete operations.
Signed-off-by: chenzhengyong chenzhengyong@uniontech.com
-- v2: server: Fix incorrect key modification in rename_key function
From: chenzhengyong chenzhengyong@uniontech.com
When `index == cur_index + 1`, the modification logic incorrectly altered the value of the subkey following the current key, leading to unintended changes in other keys.
Signed-off-by: chenzhengyong chenzhengyong@uniontech.com --- server/registry.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/server/registry.c b/server/registry.c index 7cfefc7a6c3..bb7897ef731 100644 --- a/server/registry.c +++ b/server/registry.c @@ -1038,7 +1038,7 @@ static void rename_key( struct key *key, const struct unicode_str *new_name ) for (cur_index = 0; cur_index <= parent->last_subkey; cur_index++) if (parent->subkeys[cur_index] == key) break;
- if (cur_index < index && (index - cur_index) > 1) + if (cur_index < index) { --index; for (i = cur_index; i < index; ++i) parent->subkeys[i] = parent->subkeys[i+1];
If we have subkeys **`[A, B, C, D]`** where:
* **`B`** is at **`cur_index = 1`** * If renaming B to BB, after find_subkey, **`index = 2`** * After rename_key, will get [A, BB, BB, D]
-
chenzhengyong -
zhengyong chen (@chenzhengyong)