Commit bd0ed252 authored by Jo-Philipp Wich's avatar Jo-Philipp Wich

uci: reset uci_ptr flags when merging set operations

In some cases, e.g. when subsequently setting multiple empty option
values, uci_set() might free the section pointer of the given reused
uci_ptr structure without zeroing it, leading to a use-after-free on
processing subsequent options.

Avoid this issue by clearing the lookup pointer flags in order to
prevent uci_set() from incorrectly branching into a uci_delete()
operation leading to the freeing of the section member.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-October/019592.htmlReported-by: Daniel Danzberger's avatarDaniel Danzberger <daniel@dd-wrt.com>
Suggested-by: default avatarYousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: default avatarJo-Philipp Wich <jo@mein.io>
parent 37aa9196
......@@ -817,6 +817,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
struct blob_attr *cur;
int rem, rv;
ptr->flags = 0;
ptr->o = NULL;
ptr->option = blobmsg_name(opt);
ptr->value = NULL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment