uci: reset uci_ptr flags when merging set operations

In some cases, e.g. when subsequently setting multiple empty option values, uci_set() might free the section pointer of the given reused uci_ptr structure without zeroing it, leading to a use-after-free on processing subsequent options. Avoid this issue by clearing the lookup pointer flags in order to prevent uci_set() from incorrectly branching into a uci_delete() operation leading to the freeing of the section member. Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-October/019592.html Reported-by: Daniel Danzberger <daniel@dd-wrt.com> Suggested-by: Yousong Zhou <yszhou4tech@gmail.com> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2019-10-29 08:28:17 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2019-10-29 08:28:17 +0100
commit: bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b (patch)
tree: 1e1ef0d2253ef11a887ba95c4215d623f042a052
parent: 37aa9196b603769ffbff4d0c58f76259a3791384 (diff)
download: rpcd-bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/uci.c b/uci.c
index 1587a19..0de6f3e 100644
--- a/uci.c
+++ b/uci.c
@@ -817,6 +817,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
 	struct blob_attr *cur;
 	int rem, rv;
 
+	ptr->flags = 0;
 	ptr->o = NULL;
 	ptr->option = blobmsg_name(opt);
 	ptr->value = NULL;
author	Jo-Philipp Wich <jo@mein.io>	2019-10-29 08:28:17 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2019-10-29 08:28:17 +0100
commit	bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b (patch)
tree	1e1ef0d2253ef11a887ba95c4215d623f042a052
parent	37aa9196b603769ffbff4d0c58f76259a3791384 (diff)
download	rpcd-bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b.tar.gz