From a5af33ce9a16f6aa599f19cc7161e067fab9495d Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Sat, 4 Jan 2020 16:16:12 +0200 Subject: [PATCH] instance: strdup string attributes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Previously string attributes were set to pointers returned by blobmsg_get_string() which caused use-after-free problems. Use strdup() to have copies of all stored strings and free them during cleanup. Reviewed-by: Petr Å tetiar Signed-off-by: Daniel Golle --- service/instance.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/service/instance.c b/service/instance.c index abd1f34..b0c9807 100644 --- a/service/instance.c +++ b/service/instance.c @@ -805,11 +805,11 @@ instance_jail_parse(struct service_instance *in, struct blob_attr *attr) jail->argc = 2; if (tb[JAIL_ATTR_NAME]) { - jail->name = blobmsg_get_string(tb[JAIL_ATTR_NAME]); + jail->name = strdup(blobmsg_get_string(tb[JAIL_ATTR_NAME])); jail->argc += 2; } if (tb[JAIL_ATTR_HOSTNAME]) { - jail->hostname = blobmsg_get_string(tb[JAIL_ATTR_HOSTNAME]); + jail->hostname = strdup(blobmsg_get_string(tb[JAIL_ATTR_HOSTNAME])); jail->argc += 2; } if (tb[JAIL_ATTR_PROCFS]) { @@ -957,12 +957,12 @@ instance_config_parse(struct service_instance *in) in->no_new_privs = blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]); if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) - in->seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]); + in->seccomp = strdup(blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP])); if (tb[INSTANCE_ATTR_PIDFILE]) { char *pidfile = blobmsg_get_string(tb[INSTANCE_ATTR_PIDFILE]); if (pidfile) - in->pidfile = pidfile; + in->pidfile = strdup(pidfile); } if (tb[INSTANCE_ATTR_RELOADSIG]) @@ -1077,6 +1077,10 @@ instance_free(struct service_instance *in) free(in->config); free(in->user); free(in->group); + free(in->jail.name); + free(in->jail.hostname); + free(in->seccomp); + free(in->pidfile); free(in); } -- 2.25.1