Skip to content

Commit 224355e

Browse files
author
Your Name
committed
fix(mcp): use strcpy for semantic result strings to prevent use-after-free
The semantic_results section used yyjson_mut_obj_add_str (borrows pointer) then called cbm_node_free_fields which freed those strings. The yyjson doc then held dangling pointers, producing garbage in the JSON output. Fix: use yyjson_mut_obj_add_strcpy (copies string) for all node fields in the vector-only result loop.
1 parent b380ee7 commit 224355e

File tree

1 file changed

+8
-8
lines changed

1 file changed

+8
-8
lines changed

src/mcp/mcp.c

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1140,14 +1140,14 @@ static char *handle_search_graph(cbm_mcp_server_t *srv, const char *args) {
11401140
if (cbm_store_find_node_by_id(store, rrf_results[i].node_id,
11411141
&vnode) == CBM_STORE_OK) {
11421142
yyjson_mut_val *vitem = yyjson_mut_obj(doc);
1143-
yyjson_mut_obj_add_str(doc, vitem, "name",
1144-
vnode.name ? vnode.name : "");
1145-
yyjson_mut_obj_add_str(doc, vitem, "qualified_name",
1146-
vnode.qualified_name ? vnode.qualified_name : "");
1147-
yyjson_mut_obj_add_str(doc, vitem, "label",
1148-
vnode.label ? vnode.label : "");
1149-
yyjson_mut_obj_add_str(doc, vitem, "file_path",
1150-
vnode.file_path ? vnode.file_path : "");
1143+
yyjson_mut_obj_add_strcpy(doc, vitem, "name",
1144+
vnode.name ? vnode.name : "");
1145+
yyjson_mut_obj_add_strcpy(doc, vitem, "qualified_name",
1146+
vnode.qualified_name ? vnode.qualified_name : "");
1147+
yyjson_mut_obj_add_strcpy(doc, vitem, "label",
1148+
vnode.label ? vnode.label : "");
1149+
yyjson_mut_obj_add_strcpy(doc, vitem, "file_path",
1150+
vnode.file_path ? vnode.file_path : "");
11511151
yyjson_mut_obj_add_real(doc, vitem, "similarity",
11521152
rrf_results[i].similarity);
11531153
yyjson_mut_obj_add_real(doc, vitem, "rrf_score",

0 commit comments

Comments
 (0)