foster/bitcoin-bitcoin-core
0
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-02-03 09:56:38 -05:00
Code Issues Activity

Merge bitcoin/bitcoin#29176: wallet: Fix use-after-free in WalletBatch::EraseRecords

Browse source 
faebf1df2a wallet: Fix use-after-free in WalletBatch::EraseRecords (MarcoFalke)

Pull request description:

  Creating a copy of the pointer to the underlying data of the stream is not enough to copy the data.

  Currently this happens to work sometimes, because the stream may not immediately free unused memory. However, there is no guarantee by the stream interface to always behave this way. Also, if `vector::clear` is called on the underlying memory, any pointers to it are invalid.

  Fix this, by creating a full copy of all bytes.

ACKs for top commit:
  achow101:
    ACK faebf1df2a

Tree-SHA512: 79ede9bc16cf257609545597bc6d9623ceead4531780ea6037cc5684aa3a7c7d80601354d315358defe47193f978a8ce40c5dc4637e32936c76157679b549ac5
This commit is contained in:
Ava Chow 2024-01-04 10:11:22 -05:00
commit d84f736ba1
No known key found for this signature in database
GPG key ID: 17565732E08E5E41
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/wallet/walletdb.cpp
View file

@ -1401,13 +1401,13 @@ bool WalletBatch::EraseRecords(const std::unordered_set<std::string>& types)
}
// Make a copy of key to avoid data being deleted by the following read of the type
Span key_data{key};
const SerializeData key_data{key.begin(), key.end()};
std::string type;
key >> type;
if (types.count(type) > 0) {
if (!m_batch->Erase(key_data)) {
if (!m_batch->Erase(Span{key_data})) {
cursor.reset(nullptr);
m_batch->TxnAbort();
return false; // erase failed