diff options
| author | Luka Koznjak <luka.koznjak@sartura.hr> | 2019-12-04 21:36:34 +0100 |
|---|---|---|
| committer | Luka Perkov <luka.perkov@sartura.hr> | 2020-01-27 23:24:48 +0100 |
| commit | e8d83732f9eb571dce71aa915ff38a072579610b (patch) | |
| tree | d1a3cff243807aad79083750befa58dc8224195b | |
| parent | aa5e77a13d955ac9b497efc015c957c475734f0d (diff) | |
| download | uci-e8d83732f9eb571dce71aa915ff38a072579610b.tar.gz | |
file: fix segfault in uci_parse_option
Fixed a segmentation fault caused by using a pointer to a reallocated
address. The name pointer in the uci_parse_option function
becomes invalid if assert_eol calls uci_realloc down the line,
resulting in a segmentation fault when attempting to dereference
name in a strcmp check in uci_lookup_list. A simple fix is
to call assert_eol before retrieving the actual address for
the name and type pointers.
The segmentation fault has been found while fuzzing the
uci configuration system for various types of different crashes
and undefined behavious, which resulted in multiple different
import files causing instability and sementation faults.
Signed-off-by: Luka Kožnjak <luka.koznjak@sartura.hr>
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr>
CC: Luka Perkov <luka.perkov@sartura.hr>
| -rw-r--r-- | file.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -471,9 +471,9 @@ static void uci_parse_option(struct uci_context *ctx, bool list) ofs_name = next_arg(ctx, true, true, false); ofs_value = next_arg(ctx, false, false, false); + assert_eol(ctx); name = pctx_str(pctx, ofs_name); value = pctx_str(pctx, ofs_value); - assert_eol(ctx); uci_fill_ptr(ctx, &ptr, &pctx->section->e); e = uci_lookup_list(&pctx->section->options, name); |