diff options
author | Jo-Philipp Wich <jo@mein.io> | 2020-12-23 19:06:12 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2021-01-17 21:15:20 +0100 |
commit | c2a69a364ef857007e752aca11389149ffa4e589 (patch) | |
tree | 1890a74dcca08f9dc6e802b58f6c651e8479d8a6 | |
parent | 67c8a3fda26e441d3ec4a19f50ac72eca8deb14b (diff) | |
download | rpcd-openwrt-19.07.tar.gz |
uci: manually clear uci_ptr flags after uci_delete() operationsopenwrt-19.07
This is required to avoid potential use-after-free errors through the
uci_set()->uci_delete()->uci_expand_ptr() call chain when passing
zero-length strings as values.
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3528
Suggested-by: olegio170 <olegios170@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit d3f2041f4363e76fda57dd6b581eb71cf1a0e114)
-rw-r--r-- | uci.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -831,8 +831,10 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr) if (blobmsg_type(opt) == BLOBMSG_TYPE_ARRAY) { - if (ptr->o) + if (ptr->o) { uci_delete(cursor, ptr); + ptr->flags = 0; + } rv = UBUS_STATUS_INVALID_ARGUMENT; @@ -850,6 +852,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr) else if (ptr->o && ptr->o->type == UCI_TYPE_LIST) { uci_delete(cursor, ptr); + ptr->flags = 0; if (!rpc_uci_format_blob(opt, &ptr->value)) return UBUS_STATUS_INVALID_ARGUMENT; @@ -981,6 +984,7 @@ rpc_uci_merge_delete(struct blob_attr *opt, struct uci_ptr *ptr) continue; uci_delete(cursor, ptr); + ptr->flags = 0; rv = 0; } |