uci: fix use-after-free uci_add_list

When uci_add_list is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. If ptr->o->type is UCI_TYPE_STRING then prev is set to ptr->o. This will result in use-after-free because ptr->option is used in the call to uci_add_delta in uci_add_element_list after uci_free_option(prev). Signed-off-by: Jan Venekamp <jan@venekamp.net>
author: Jan Venekamp <jan@venekamp.net> 2022-11-20 02:08:23 +0100
committer: Hauke Mehrtens <hauke@hauke-m.de> 2023-03-04 19:39:32 +0100
commit: 47697e6579be2c9f4cfc51eec1d35d453c3c7c5e (patch)
tree: 700e4f7cb3971ac2a08cfa7a8573cca695ed141c
parent: 7e01d66d7bec5f9e3694dcad25c472327a0ff352 (diff)
download: uci-47697e6579be2c9f4cfc51eec1d35d453c3c7c5e.tar.gz
1 files changed, 2 insertions, 0 deletions
diff --git a/list.c b/list.c
index 5148dfd..ba099b6 100644
--- a/list.c
+++ b/list.c
@@ -652,6 +652,8 @@ int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr)
 	ptr->o = uci_alloc_list(ptr->s, ptr->option);
 	if (prev) {
 		uci_add_element_list(ctx, ptr, true);
+		if (ptr->option == prev->e.name)
+			ptr->option = ptr->o->e.name;
 		uci_free_option(prev);
 		ptr->value = value2;
 	}
author	Jan Venekamp <jan@venekamp.net>	2022-11-20 02:08:23 +0100
committer	Hauke Mehrtens <hauke@hauke-m.de>	2023-03-04 19:39:32 +0100
commit	47697e6579be2c9f4cfc51eec1d35d453c3c7c5e (patch)
tree	700e4f7cb3971ac2a08cfa7a8573cca695ed141c
parent	7e01d66d7bec5f9e3694dcad25c472327a0ff352 (diff)
download	uci-47697e6579be2c9f4cfc51eec1d35d453c3c7c5e.tar.gz