uci: manually clear uci_ptr flags after uci_delete() operationsopenwrt-19.07

This is required to avoid potential use-after-free errors through the uci_set()->uci_delete()->uci_expand_ptr() call chain when passing zero-length strings as values. Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3528 Suggested-by: olegio170 <olegios170@gmail.com> Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit d3f2041f4363e76fda57dd6b581eb71cf1a0e114)
author: Jo-Philipp Wich <jo@mein.io> 2020-12-23 19:06:12 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2021-01-17 21:15:20 +0100
commit: c2a69a364ef857007e752aca11389149ffa4e589 (patch)
tree: 1890a74dcca08f9dc6e802b58f6c651e8479d8a6
parent: 67c8a3fda26e441d3ec4a19f50ac72eca8deb14b (diff)
download: rpcd-openwrt-19.07.tar.gz
1 files changed, 5 insertions, 1 deletions
diff --git a/uci.c b/uci.c
index 327b17f..e239433 100644
--- a/uci.c
+++ b/uci.c
@@ -831,8 +831,10 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
 
 	if (blobmsg_type(opt) == BLOBMSG_TYPE_ARRAY)
 	{
-		if (ptr->o)
+		if (ptr->o) {
 			uci_delete(cursor, ptr);
+			ptr->flags = 0;
+		}
 
 		rv = UBUS_STATUS_INVALID_ARGUMENT;
 
@@ -850,6 +852,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
 	else if (ptr->o && ptr->o->type == UCI_TYPE_LIST)
 	{
 		uci_delete(cursor, ptr);
+		ptr->flags = 0;
 
 		if (!rpc_uci_format_blob(opt, &ptr->value))
 			return UBUS_STATUS_INVALID_ARGUMENT;
@@ -981,6 +984,7 @@ rpc_uci_merge_delete(struct blob_attr *opt, struct uci_ptr *ptr)
 				continue;
 
 			uci_delete(cursor, ptr);
+			ptr->flags = 0;
 			rv = 0;
 		}
author	Jo-Philipp Wich <jo@mein.io>	2020-12-23 19:06:12 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2021-01-17 21:15:20 +0100
commit	c2a69a364ef857007e752aca11389149ffa4e589 (patch)
tree	1890a74dcca08f9dc6e802b58f6c651e8479d8a6
parent	67c8a3fda26e441d3ec4a19f50ac72eca8deb14b (diff)
download	rpcd-openwrt-19.07.tar.gz