DGNum/rpcd
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

uci: manually clear uci_ptr flags after uci_delete() operations

Browse source 
This is required to avoid potential use-after-free errors through the
uci_set()->uci_delete()->uci_expand_ptr() call chain when passing
zero-length strings as values.

Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3528
Suggested-by: olegio170 <olegios170@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich 2020-12-23 19:06:12 +01:00
parent ea7f4717f8
commit d3f2041f43
1 changed files with 5 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
uci.c
View file

@ -831,8 +831,10 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
if (blobmsg_type(opt) == BLOBMSG_TYPE_ARRAY)
{
if (ptr->o)
if (ptr->o) {
uci_delete(cursor, ptr);
ptr->flags = 0;
}
rv = UBUS_STATUS_INVALID_ARGUMENT;
@ -850,6 +852,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
else if (ptr->o && ptr->o->type == UCI_TYPE_LIST)
{
uci_delete(cursor, ptr);
ptr->flags = 0;
if (!rpc_uci_format_blob(opt, &ptr->value))
return UBUS_STATUS_INVALID_ARGUMENT;
@ -981,6 +984,7 @@ rpc_uci_merge_delete(struct blob_attr *opt, struct uci_ptr *ptr)
continue;
uci_delete(cursor, ptr);
ptr->flags = 0;
rv = 0;
}