From bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 29 Oct 2019 08:28:17 +0100
Subject: uci: reset uci_ptr flags when merging set operations

In some cases, e.g. when subsequently setting multiple empty option
values, uci_set() might free the section pointer of the given reused
uci_ptr structure without zeroing it, leading to a use-after-free on
processing subsequent options.

Avoid this issue by clearing the lookup pointer flags in order to
prevent uci_set() from incorrectly branching into a uci_delete()
operation leading to the freeing of the section member.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-October/019592.html
Reported-by: Daniel Danzberger <daniel@dd-wrt.com>
Suggested-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 uci.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/uci.c b/uci.c
index 1587a19..0de6f3e 100644
--- a/uci.c
+++ b/uci.c
@@ -817,6 +817,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
 	struct blob_attr *cur;
 	int rem, rv;
 
+	ptr->flags = 0;
 	ptr->o = NULL;
 	ptr->option = blobmsg_name(opt);
 	ptr->value = NULL;
-- 
cgit v1.2.1