svn commit: r190491 - head/lib/libc/db/hash

Fri Mar 27 23:30:44 PDT 2009

Author: delphij
Date: Sat Mar 28 06:30:43 2009
New Revision: 190491
URL: http://svn.freebsd.org/changeset/base/190491

Log:
  Fix a crash when iterating over a hash and removing its elements.
  
  Obtained from:	OpenBSD

Modified:
  head/lib/libc/db/hash/hash.c
  head/lib/libc/db/hash/hash_page.c

Modified: head/lib/libc/db/hash/hash.c
==============================================================================

--- head/lib/libc/db/hash/hash.c	Sat Mar 28 06:25:33 2009	(r190490)
+++ head/lib/libc/db/hash/hash.c	Sat Mar 28 06:30:43 2009	(r190491)
@@ -539,8 +539,7 @@ hash_put(const DB *dbp, DBT *key, const 
 
 	hashp = (HTAB *)dbp->internal;
 	if (flag && flag != R_NOOVERWRITE) {
-		hashp->error = EINVAL;
-		errno = EINVAL;
+		hashp->error = errno = EINVAL;
 		return (ERROR);
 	}
 	if ((hashp->flags & O_ACCMODE) == O_RDONLY) {
@@ -719,7 +718,7 @@ hash_seq(const DB *dbp, DBT *key, DBT *d
 		hashp->cndx = 1;
 		hashp->cpage = NULL;
 	}
-
+ next_bucket:
 	for (bp = NULL; !bp || !bp[0]; ) {
 		if (!(bufp = hashp->cpage)) {
 			for (bucket = hashp->cbucket;
@@ -738,8 +737,18 @@ hash_seq(const DB *dbp, DBT *key, DBT *d
 				hashp->cbucket = -1;
 				return (ABNORMAL);
 			}
-		} else
+		} else {
 			bp = (u_int16_t *)hashp->cpage->page;
+			if (flag == R_NEXT) {
+				hashp->cndx += 2;
+				if (hashp->cndx > bp[0]) {
+					hashp->cpage = NULL;
+					hashp->cbucket++;
+					hashp->cndx = 1;
+					goto next_bucket;
+				}
+			}
+		}
 
 #ifdef DEBUG
 		assert(bp);
@@ -767,13 +776,6 @@ hash_seq(const DB *dbp, DBT *key, DBT *d
 		key->size = (ndx > 1 ? bp[ndx - 1] : hashp->BSIZE) - bp[ndx];
 		data->data = (u_char *)hashp->cpage->page + bp[ndx + 1];
 		data->size = bp[ndx] - bp[ndx + 1];
-		ndx += 2;
-		if (ndx > bp[0]) {
-			hashp->cpage = NULL;
-			hashp->cbucket++;
-			hashp->cndx = 1;
-		} else
-			hashp->cndx = ndx;
 	}
 	return (SUCCESS);
 }

Modified: head/lib/libc/db/hash/hash_page.c
==============================================================================
--- head/lib/libc/db/hash/hash_page.c	Sat Mar 28 06:25:33 2009	(r190490)
+++ head/lib/libc/db/hash/hash_page.c	Sat Mar 28 06:30:43 2009	(r190491)
@@ -155,6 +155,14 @@ __delpair(HTAB *hashp, BUFHEAD *bufp, in
 				bp[i - 1] = bp[i + 1] + pairlen;
 			}
 		}
+		if (ndx == hashp->cndx) {
+			/*
+			 * We just removed pair we were "pointing" to.
+			 * By moving back the cndx we ensure subsequent
+			 * hash_seq() calls won't skip over any entries.
+			 */
+			hashp->cndx -= 2;
+		}
 	}
 	/* Finally adjust the page data */
 	bp[n] = OFFSET(bp) + pairlen;
