uci: reset uci_ptr flags when merging set operations
authorJo-Philipp Wich <jo@mein.io>
Tue, 29 Oct 2019 07:28:17 +0000 (08:28 +0100)
committerJo-Philipp Wich <jo@mein.io>
Tue, 26 May 2020 14:16:50 +0000 (16:16 +0200)
In some cases, e.g. when subsequently setting multiple empty option
values, uci_set() might free the section pointer of the given reused
uci_ptr structure without zeroing it, leading to a use-after-free on
processing subsequent options.

Avoid this issue by clearing the lookup pointer flags in order to
prevent uci_set() from incorrectly branching into a uci_delete()
operation leading to the freeing of the section member.

Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-October/019592.html
Reported-by: Daniel Danzberger <daniel@dd-wrt.com>
Suggested-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b)

uci.c

diff --git a/uci.c b/uci.c
index 1587a197a2bd6eb07345c7d21803b15143fa58e2..0de6f3e23f8d3ba2fbfa1a653a9129ce26fb7dd0 100644 (file)
--- a/uci.c
+++ b/uci.c
@@ -817,6 +817,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
        struct blob_attr *cur;
        int rem, rv;
 
+       ptr->flags = 0;
        ptr->o = NULL;
        ptr->option = blobmsg_name(opt);
        ptr->value = NULL;