Fix possible temporary cache entry corruption

If for some reason the cache queue lock couldn't be locked, the created entry would remain in the hash table. This could potentially lead to two threads obtaining a reference to this temporary entry, and calling cache_entry_unref() on it, leading to double frees and other nasty problems. It's very unlikely that this condition will happen, as pthread_rwlock_wrlock() should fail only when a dead lock would occur. Reported by immerse
lpereira · Mar 23, 2017 · 523c193 · 523c193
1 parent 28e23f2
commit 523c193
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/common/lwan-cache.c b/common/lwan-cache.c
@@ -239,6 +239,11 @@ struct cache_entry *cache_get_and_ref_entry(struct cache *cache,
             pthread_rwlock_unlock(&cache->queue.lock);
         } else {
             convert_to_temporary(entry);
+
+            /* Ensure item is removed from the hash table; otherwise,
+             * another thread could potentially get another reference
+             * to this entry and cause an invalid memory access. */
+            hash_del(cache->hash.table, entry->key);
         }
     } else {
         /* Either there's another item with the same key (-EEXIST), or