David Turner <dturner@xxxxxxxxxxxxxxxx> writes: > Stop reusing cache_entry in dir_entry; doing so causes a > use-after-free bug. > > During merges, we free entries that we no longer need in the > destination index. But those entries might have also been stored in > the dir_entry cache, and when a later call to add_to_index found them, > they would be used after being freed. > > To prevent this, change dir_entry to store a copy of the name instead > of a pointer to a cache_entry. This entails some refactoring of code > that expects the cache_entry. > > Keith McGuigan <kmcguigan@xxxxxxxxxxx> diagnosed this bug and wrote > the initial patch, but this version does not use any of Keith's code. > > Helped-by: Keith McGuigan <kmcguigan@xxxxxxxxxxx> > Helped-by: Junio C Hamano <gitster@xxxxxxxxx> > Signed-off-by: David Turner <dturner@xxxxxxxxxxxxxxxx> > --- The patch looks good to me. Will replace the ce-refcnt one with this. Thanks for following it through. -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html