lib: fix _hash_member() crash w/ empty hash

The typesafe hash _member() didn't check tabshift/count before proceeding to look at the hash table, leading it to dereference a NULL pointer when the hash table is in fact empty. Test case added to tests/lib/test_typelist. Note this function is not currently used anywhere. Only lib/cspf.c uses _member(), but it does so on a RB-tree rather than a hash. Signed-off-by: David Lamparter <equinox@opensourcerouting.org>
2025-04-28 11:50:21 +00:00 · 2023-04-21 16:23:39 +02:00 · 2023-04-21 16:23:39 +02:00 · 5523a505f4
commit 5523a505f4
parent ae19023b8e
2 changed files with 7 additions and 0 deletions
--- a/lib/typesafe.h
+++ b/lib/typesafe.h
@ -948,6 +948,8 @@ macro_pure size_t prefix ## _count(const struct prefix##_head *h)              \
 macro_pure bool prefix ## _member(const struct prefix##_head *h,               \
 				  const type *item)                            \
 {                                                                              \
+	if (!h->hh.tabshift)                                                   \
+		return NULL;                                                   \
 	uint32_t hval = item->field.hi.hashval, hbits = HASH_KEY(h->hh, hval); \
 	const struct thash_item *hitem = h->hh.entries[hbits];                 \
 	while (hitem && hitem->hashval < hval)                                 \
--- a/tests/lib/test_typelist.h
+++ b/tests/lib/test_typelist.h
@ -171,6 +171,11 @@ static void concat(test_, TYPE)(void)

 	ts_hash("init", "df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119");

+#if !IS_ATOMIC(REALTYPE)
+	assert(!list_member(&head, &itm[0]));
+	assert(!list_member(&head, &itm[1]));
+#endif
+
 #if IS_SORTED(REALTYPE)
 	prng = prng_new(0);
 	k = 0;