| Message ID | 1520909070-26405-1-git-send-email-jminer7@gmail.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [LEDE-DEV] uci: fix a potential use-after-free in uci_set() | expand |
On Tue, Mar 13, 2018 at 3:44 AM, Jordan Miner <jminer7@gmail.com> wrote: > When calling uci_set() to update an option, if ptr->o != NULL and > ptr->option == NULL, then uci_expand_ptr() will set ptr->option to > ptr->o->e.name (or the caller could set ptr->option to that value). In > this case, the option will be freed just before calling > uci_alloc_option() with ptr->option, which was just freed. > > Signed-off-by: Jordan Miner <jminer7@gmail.com> > --- > list.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/list.c b/list.c > index 0347138..5a1d891 100644 > --- a/list.c > +++ b/list.c > @@ -698,8 +698,8 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr) > if ((ptr->o->type == UCI_TYPE_STRING) && > !strcmp(ptr->o->v.string, ptr->value)) > return 0; > - uci_free_option(ptr->o); > ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value); > + uci_free_option(ptr->o); This introduces a memory leak now as the old option is overridden by the newly allocated option which is immediately freed Hans > ptr->last = &ptr->o->e; > } else if (ptr->s && ptr->section) { /* update section */ > char *s = uci_strdup(ctx, ptr->value); > -- > 2.7.4 > > > _______________________________________________ > Lede-dev mailing list > Lede-dev@lists.infradead.org > http://lists.infradead.org/mailman/listinfo/lede-dev
diff --git a/list.c b/list.c index 0347138..5a1d891 100644 --- a/list.c +++ b/list.c @@ -698,8 +698,8 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr) if ((ptr->o->type == UCI_TYPE_STRING) && !strcmp(ptr->o->v.string, ptr->value)) return 0; - uci_free_option(ptr->o); ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value); + uci_free_option(ptr->o); ptr->last = &ptr->o->e; } else if (ptr->s && ptr->section) { /* update section */ char *s = uci_strdup(ctx, ptr->value);
When calling uci_set() to update an option, if ptr->o != NULL and ptr->option == NULL, then uci_expand_ptr() will set ptr->option to ptr->o->e.name (or the caller could set ptr->option to that value). In this case, the option will be freed just before calling uci_alloc_option() with ptr->option, which was just freed. Signed-off-by: Jordan Miner <jminer7@gmail.com> --- list.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)