diff options
author | Jo-Philipp Wich <jo@mein.io> | 2019-10-29 08:28:17 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2020-05-26 16:16:50 +0200 |
commit | abbc3020dcfb6ed7dcbcf8eaf27e17a8fc9df83c (patch) | |
tree | 689c9a8f033f478a9d28dafbf2103050317d4788 | |
parent | 3aa81d0dfae167eccc26203bd0c96f3e3450f253 (diff) | |
download | rpcd-abbc3020dcfb6ed7dcbcf8eaf27e17a8fc9df83c.tar.gz |
uci: reset uci_ptr flags when merging set operations
In some cases, e.g. when subsequently setting multiple empty option
values, uci_set() might free the section pointer of the given reused
uci_ptr structure without zeroing it, leading to a use-after-free on
processing subsequent options.
Avoid this issue by clearing the lookup pointer flags in order to
prevent uci_set() from incorrectly branching into a uci_delete()
operation leading to the freeing of the section member.
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-October/019592.html
Reported-by: Daniel Danzberger <daniel@dd-wrt.com>
Suggested-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b)
-rw-r--r-- | uci.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -817,6 +817,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr) struct blob_attr *cur; int rem, rv; + ptr->flags = 0; ptr->o = NULL; ptr->option = blobmsg_name(opt); ptr->value = NULL; |