projects / project / uci.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
uci: fix a potential use-after-free in uci_set()
[project/uci.git] / list.c
1 /*
2 * libuci - Library for the Unified Configuration Interface
3 * Copyright (C) 2008 Felix Fietkau <nbd@openwrt.org>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU Lesser General Public License version 2.1
7 * as published by the Free Software Foundation
8 *
9 * This program is distributed in the hope that it will be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU Lesser General Public License for more details.
13 */
14
15 static bool uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int pos)
16 {
17 struct uci_list *old_head = ptr->prev;
18 struct uci_list *new_head = head;
19 struct uci_element *p = NULL;
20
21 uci_list_del(ptr);
22 uci_foreach_element(head, p) {
23 if (pos-- <= 0)
24 break;
25 new_head = &p->list;
26 }
27
28 uci_list_add(new_head->next, ptr);
29
30 return (old_head != new_head);
31 }
32
33 static inline void uci_list_fixup(struct uci_list *ptr)
34 {
35 ptr->prev->next = ptr;
36 ptr->next->prev = ptr;
37 }
38
39 /*
40 * uci_alloc_generic allocates a new uci_element with payload
41 * payload is appended to the struct to save memory and reduce fragmentation
42 */
43 __private struct uci_element *
44 uci_alloc_generic(struct uci_context *ctx, int type, const char *name, int size)
45 {
46 struct uci_element *e;
47 int datalen = size;
48 void *ptr;
49
50 ptr = uci_malloc(ctx, datalen);
51 e = (struct uci_element *) ptr;
52 e->type = type;
53 if (name) {
54 UCI_TRAP_SAVE(ctx, error);
55 e->name = uci_strdup(ctx, name);
56 UCI_TRAP_RESTORE(ctx);
57 }
58 uci_list_init(&e->list);
59 goto done;
60
61 error:
62 free(ptr);
63 UCI_THROW(ctx, ctx->err);
64
65 done:
66 return e;
67 }
68
69 __private void
70 uci_free_element(struct uci_element *e)
71 {
72 free(e->name);
73 if (!uci_list_empty(&e->list))
74 uci_list_del(&e->list);
75 free(e);
76 }
77
78 static struct uci_option *
79 uci_alloc_option(struct uci_section *s, const char *name, const char *value)
80 {
81 struct uci_package *p = s->package;
82 struct uci_context *ctx = p->ctx;
83 struct uci_option *o;
84
85 o = uci_alloc_element(ctx, option, name, strlen(value) + 1);
86 o->type = UCI_TYPE_STRING;
87 o->v.string = uci_dataptr(o);
88 o->section = s;
89 strcpy(o->v.string, value);
90 uci_list_add(&s->options, &o->e.list);
91
92 return o;
93 }
94
95 static inline void
96 uci_free_option(struct uci_option *o)
97 {
98 struct uci_element *e, *tmp;
99
100 switch(o->type) {
101 case UCI_TYPE_STRING:
102 if ((o->v.string != uci_dataptr(o)) &&
103 (o->v.string != NULL))
104 free(o->v.string);
105 break;
106 case UCI_TYPE_LIST:
107 uci_foreach_element_safe(&o->v.list, tmp, e) {
108 uci_free_element(e);
109 }
110 break;
111 default:
112 break;
113 }
114 uci_free_element(&o->e);
115 }
116
117 static struct uci_option *
118 uci_alloc_list(struct uci_section *s, const char *name)
119 {
120 struct uci_package *p = s->package;
121 struct uci_context *ctx = p->ctx;
122 struct uci_option *o;
123
124 o = uci_alloc_element(ctx, option, name, 0);
125 o->type = UCI_TYPE_LIST;
126 o->section = s;
127 uci_list_init(&o->v.list);
128 uci_list_add(&s->options, &o->e.list);
129
130 return o;
131 }
132
133 /* Based on an efficient hash function published by D. J. Bernstein */
134 static unsigned int djbhash(unsigned int hash, char *str)
135 {
136 int len = strlen(str);
137 int i;
138
139 /* initial value */
140 if (hash == ~0)
141 hash = 5381;
142
143 for(i = 0; i < len; i++) {
144 hash = ((hash << 5) + hash) + str[i];
145 }
146 return (hash & 0x7FFFFFFF);
147 }
148
149 /* fix up an unnamed section, e.g. after adding options to it */
150 static void uci_fixup_section(struct uci_context *ctx, struct uci_section *s)
151 {
152 unsigned int hash = ~0;
153 struct uci_element *e;
154 char buf[16];
155
156 if (!s || s->e.name)
157 return;
158
159 /*
160 * Generate a name for unnamed sections. This is used as reference
161 * when locating or updating the section from apps/scripts.
162 * To make multiple concurrent versions somewhat safe for updating,
163 * the name is generated from a hash of its type and name/value
164 * pairs of its option, and it is prefixed by a counter value.
165 * If the order of the unnamed sections changes for some reason,
166 * updates to them will be rejected.
167 */
168 hash = djbhash(hash, s->type);
169 uci_foreach_element(&s->options, e) {
170 struct uci_option *o;
171 hash = djbhash(hash, e->name);
172 o = uci_to_option(e);
173 switch(o->type) {
174 case UCI_TYPE_STRING:
175 hash = djbhash(hash, o->v.string);
176 break;
177 default:
178 break;
179 }
180 }
181 sprintf(buf, "cfg%02x%04x", s->package->n_section, hash % (1 << 16));
182 s->e.name = uci_strdup(ctx, buf);
183 }
184
185 static struct uci_section *
186 uci_alloc_section(struct uci_package *p, const char *type, const char *name)
187 {
188 struct uci_context *ctx = p->ctx;
189 struct uci_section *s;
190
191 if (name && !name[0])
192 name = NULL;
193
194 s = uci_alloc_element(ctx, section, name, strlen(type) + 1);
195 uci_list_init(&s->options);
196 s->type = uci_dataptr(s);
197 s->package = p;
198 strcpy(s->type, type);
199 if (name == NULL)
200 s->anonymous = true;
201 p->n_section++;
202
203 uci_list_add(&p->sections, &s->e.list);
204
205 return s;
206 }
207
208 static void
209 uci_free_section(struct uci_section *s)
210 {
211 struct uci_element *o, *tmp;
212
213 uci_foreach_element_safe(&s->options, tmp, o) {
214 uci_free_option(uci_to_option(o));
215 }
216 if ((s->type != uci_dataptr(s)) &&
217 (s->type != NULL))
218 free(s->type);
219 uci_free_element(&s->e);
220 }
221
222 __private struct uci_package *
223 uci_alloc_package(struct uci_context *ctx, const char *name)
224 {
225 struct uci_package *p;
226
227 p = uci_alloc_element(ctx, package, name, 0);
228 p->ctx = ctx;
229 uci_list_init(&p->sections);
230 uci_list_init(&p->delta);
231 uci_list_init(&p->saved_delta);
232 return p;
233 }
234
235 __private void
236 uci_free_package(struct uci_package **package)
237 {
238 struct uci_element *e, *tmp;
239 struct uci_package *p = *package;
240
241 if(!p)
242 return;
243
244 free(p->path);
245 uci_foreach_element_safe(&p->sections, tmp, e) {
246 uci_free_section(uci_to_section(e));
247 }
248 uci_foreach_element_safe(&p->delta, tmp, e) {
249 uci_free_delta(uci_to_delta(e));
250 }
251 uci_foreach_element_safe(&p->saved_delta, tmp, e) {
252 uci_free_delta(uci_to_delta(e));
253 }
254 uci_free_element(&p->e);
255 *package = NULL;
256 }
257
258 static void
259 uci_free_any(struct uci_element **e)
260 {
261 switch((*e)->type) {
262 case UCI_TYPE_SECTION:
263 uci_free_section(uci_to_section(*e));
264 break;
265 case UCI_TYPE_OPTION:
266 uci_free_option(uci_to_option(*e));
267 break;
268 default:
269 break;
270 }
271 *e = NULL;
272 }
273
274 __private struct uci_element *
275 uci_lookup_list(struct uci_list *list, const char *name)
276 {
277 struct uci_element *e;
278
279 uci_foreach_element(list, e) {
280 if (!strcmp(e->name, name))
281 return e;
282 }
283 return NULL;
284 }
285
286 static struct uci_element *
287 uci_lookup_ext_section(struct uci_context *ctx, struct uci_ptr *ptr)
288 {
289 char *idxstr, *t, *section, *name;
290 struct uci_element *e = NULL;
291 struct uci_section *s;
292 int idx, c;
293
294 section = uci_strdup(ctx, ptr->section);
295 name = idxstr = section + 1;
296
297 if (section[0] != '@')
298 goto error;
299
300 /* parse the section index part */
301 idxstr = strchr(idxstr, '[');
302 if (!idxstr)
303 goto error;
304 *idxstr = 0;
305 idxstr++;
306
307 t = strchr(idxstr, ']');
308 if (!t)
309 goto error;
310 if (t[1] != 0)
311 goto error;
312 *t = 0;
313
314 t = NULL;
315 idx = strtol(idxstr, &t, 10);
316 if (t && *t)
317 goto error;
318
319 if (!*name)
320 name = NULL;
321 else if (!uci_validate_type(name))
322 goto error;
323
324 /* if the given index is negative, it specifies the section number from
325 * the end of the list */
326 if (idx < 0) {
327 c = 0;
328 uci_foreach_element(&ptr->p->sections, e) {
329 s = uci_to_section(e);
330 if (name && (strcmp(s->type, name) != 0))
331 continue;
332
333 c++;
334 }
335 idx += c;
336 }
337
338 c = 0;
339 uci_foreach_element(&ptr->p->sections, e) {
340 s = uci_to_section(e);
341 if (name && (strcmp(s->type, name) != 0))
342 continue;
343
344 if (idx == c)
345 goto done;
346 c++;
347 }
348 e = NULL;
349 goto done;
350
351 error:
352 free(section);
353 memset(ptr, 0, sizeof(struct uci_ptr));
354 UCI_THROW(ctx, UCI_ERR_INVAL);
355 done:
356 free(section);
357 if (e)
358 ptr->section = e->name;
359 return e;
360 }
361
362 int
363 uci_lookup_next(struct uci_context *ctx, struct uci_element **e, struct uci_list *list, const char *name)
364 {
365 UCI_HANDLE_ERR(ctx);
366
367 *e = uci_lookup_list(list, name);
368 if (!*e)
369 UCI_THROW(ctx, UCI_ERR_NOTFOUND);
370
371 return 0;
372 }
373
374 int
375 uci_lookup_ptr(struct uci_context *ctx, struct uci_ptr *ptr, char *str, bool extended)
376 {
377 struct uci_element *e;
378
379 UCI_HANDLE_ERR(ctx);
380 UCI_ASSERT(ctx, ptr != NULL);
381
382 if (str)
383 UCI_INTERNAL(uci_parse_ptr, ctx, ptr, str);
384
385 ptr->flags |= UCI_LOOKUP_DONE;
386
387 /* look up the package first */
388 if (ptr->p)
389 e = &ptr->p->e;
390 else
391 e = uci_lookup_list(&ctx->root, ptr->package);
392
393 if (!e) {
394 UCI_INTERNAL(uci_load, ctx, ptr->package, &ptr->p);
395 if (!ptr->p)
396 goto notfound;
397 ptr->last = &ptr->p->e;
398 } else {
399 ptr->p = uci_to_package(e);
400 ptr->last = e;
401 }
402
403 if (!ptr->section && !ptr->s)
404 goto complete;
405
406 /* if the section name validates as a regular name, pass through
407 * to the regular uci_lookup function call */
408 if (ptr->s) {
409 e = &ptr->s->e;
410 } else if (ptr->flags & UCI_LOOKUP_EXTENDED) {
411 if (extended)
412 e = uci_lookup_ext_section(ctx, ptr);
413 else
414 UCI_THROW(ctx, UCI_ERR_INVAL);
415 } else {
416 e = uci_lookup_list(&ptr->p->sections, ptr->section);
417 }
418
419 if (!e)
420 goto abort;
421
422 ptr->last = e;
423 ptr->s = uci_to_section(e);
424
425 if (ptr->option) {
426 e = uci_lookup_list(&ptr->s->options, ptr->option);
427 if (!e)
428 goto abort;
429
430 ptr->o = uci_to_option(e);
431 ptr->last = e;
432 }
433
434 complete:
435 ptr->flags |= UCI_LOOKUP_COMPLETE;
436 abort:
437 return UCI_OK;
438
439 notfound:
440 UCI_THROW(ctx, UCI_ERR_NOTFOUND);
441 /* not a chance here */
442 return UCI_ERR_NOTFOUND;
443 }
444
445 __private struct uci_element *
446 uci_expand_ptr(struct uci_context *ctx, struct uci_ptr *ptr, bool complete)
447 {
448 UCI_ASSERT(ctx, ptr != NULL);
449
450 if (!(ptr->flags & UCI_LOOKUP_DONE))
451 UCI_INTERNAL(uci_lookup_ptr, ctx, ptr, NULL, 1);
452 if (complete && !(ptr->flags & UCI_LOOKUP_COMPLETE))
453 UCI_THROW(ctx, UCI_ERR_NOTFOUND);
454 UCI_ASSERT(ctx, ptr->p != NULL);
455
456 /* fill in missing string info */
457 if (ptr->p && !ptr->package)
458 ptr->package = ptr->p->e.name;
459 if (ptr->s && !ptr->section)
460 ptr->section = ptr->s->e.name;
461 if (ptr->o && !ptr->option)
462 ptr->option = ptr->o->e.name;
463
464 if (ptr->o)
465 return &ptr->o->e;
466 if (ptr->s)
467 return &ptr->s->e;
468 if (ptr->p)
469 return &ptr->p->e;
470 else
471 return NULL;
472 }
473
474 static void uci_add_element_list(struct uci_context *ctx, struct uci_ptr *ptr, bool internal)
475 {
476 struct uci_element *e;
477 struct uci_package *p;
478
479 p = ptr->p;
480 if (!internal && p->has_delta)
481 uci_add_delta(ctx, &p->delta, UCI_CMD_LIST_ADD, ptr->section, ptr->option, ptr->value);
482
483 e = uci_alloc_generic(ctx, UCI_TYPE_ITEM, ptr->value, sizeof(struct uci_option));
484 uci_list_add(&ptr->o->v.list, &e->list);
485 }
486
487 int uci_rename(struct uci_context *ctx, struct uci_ptr *ptr)
488 {
489 /* NB: UCI_INTERNAL use means without delta tracking */
490 bool internal = ctx && ctx->internal;
491 struct uci_element *e;
492 struct uci_package *p;
493 char *n;
494
495 UCI_HANDLE_ERR(ctx);
496
497 e = uci_expand_ptr(ctx, ptr, true);
498 p = ptr->p;
499
500 UCI_ASSERT(ctx, ptr->s);
501 UCI_ASSERT(ctx, ptr->value);
502
503 if (!internal && p->has_delta)
504 uci_add_delta(ctx, &p->delta, UCI_CMD_RENAME, ptr->section, ptr->option, ptr->value);
505
506 n = uci_strdup(ctx, ptr->value);
507 free(e->name);
508 e->name = n;
509
510 if (e->type == UCI_TYPE_SECTION)
511 uci_to_section(e)->anonymous = false;
512
513 return 0;
514 }
515
516 int uci_reorder_section(struct uci_context *ctx, struct uci_section *s, int pos)
517 {
518 struct uci_package *p = s->package;
519 bool internal = ctx && ctx->internal;
520 bool changed = false;
521 char order[32];
522
523 UCI_HANDLE_ERR(ctx);
524
525 changed = uci_list_set_pos(&s->package->sections, &s->e.list, pos);
526 if (!internal && p->has_delta && changed) {
527 sprintf(order, "%d", pos);
528 uci_add_delta(ctx, &p->delta, UCI_CMD_REORDER, s->e.name, NULL, order);
529 }
530
531 return 0;
532 }
533
534 int uci_add_section(struct uci_context *ctx, struct uci_package *p, const char *type, struct uci_section **res)
535 {
536 bool internal = ctx && ctx->internal;
537 struct uci_section *s;
538
539 UCI_HANDLE_ERR(ctx);
540 UCI_ASSERT(ctx, p != NULL);
541 s = uci_alloc_section(p, type, NULL);
542 if (s && s->anonymous)
543 uci_fixup_section(ctx, s);
544 *res = s;
545 if (!internal && p->has_delta)
546 uci_add_delta(ctx, &p->delta, UCI_CMD_ADD, s->e.name, NULL, type);
547
548 return 0;
549 }
550
551 int uci_delete(struct uci_context *ctx, struct uci_ptr *ptr)
552 {
553 /* NB: pass on internal flag to uci_del_element */
554 bool internal = ctx && ctx->internal;
555 struct uci_package *p;
556 struct uci_element *e1, *e2, *tmp;
557 int index;
558
559 UCI_HANDLE_ERR(ctx);
560
561 e1 = uci_expand_ptr(ctx, ptr, true);
562 p = ptr->p;
563
564 UCI_ASSERT(ctx, ptr->s);
565
566 if (ptr->o && ptr->o->type == UCI_TYPE_LIST && ptr->value && *ptr->value) {
567 if (!sscanf(ptr->value, "%d", &index))
568 return 1;
569
570 uci_foreach_element_safe(&ptr->o->v.list, tmp, e2) {
571 if (index == 0) {
572 if (!internal && p->has_delta)
573 uci_add_delta(ctx, &p->delta, UCI_CMD_REMOVE, ptr->section, ptr->option, ptr->value);
574 uci_free_option(uci_to_option(e2));
575 return 0;
576 }
577 index--;
578 }
579
580 return 0;
581 }
582
583 if (!internal && p->has_delta)
584 uci_add_delta(ctx, &p->delta, UCI_CMD_REMOVE, ptr->section, ptr->option, NULL);
585
586 uci_free_any(&e1);
587
588 if (ptr->option)
589 ptr->o = NULL;
590 else if (ptr->section)
591 ptr->s = NULL;
592
593 return 0;
594 }
595
596 int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr)
597 {
598 /* NB: UCI_INTERNAL use means without delta tracking */
599 bool internal = ctx && ctx->internal;
600 struct uci_option *prev = NULL;
601 const char *value2 = NULL;
602
603 UCI_HANDLE_ERR(ctx);
604
605 uci_expand_ptr(ctx, ptr, false);
606 UCI_ASSERT(ctx, ptr->s);
607 UCI_ASSERT(ctx, ptr->value);
608
609 if (ptr->o) {
610 switch (ptr->o->type) {
611 case UCI_TYPE_STRING:
612 /* we already have a string value, convert that to a list */
613 prev = ptr->o;
614 value2 = ptr->value;
615 ptr->value = ptr->o->v.string;
616 break;
617 case UCI_TYPE_LIST:
618 uci_add_element_list(ctx, ptr, internal);
619 return 0;
620 default:
621 UCI_THROW(ctx, UCI_ERR_INVAL);
622 break;
623 }
624 }
625
626 ptr->o = uci_alloc_list(ptr->s, ptr->option);
627 if (prev) {
628 uci_add_element_list(ctx, ptr, true);
629 uci_free_option(prev);
630 ptr->value = value2;
631 }
632 uci_add_element_list(ctx, ptr, internal);
633
634 return 0;
635 }
636
637 int uci_del_list(struct uci_context *ctx, struct uci_ptr *ptr)
638 {
639 /* NB: pass on internal flag to uci_del_element */
640 bool internal = ctx && ctx->internal;
641 struct uci_element *e, *tmp;
642 struct uci_package *p;
643
644 UCI_HANDLE_ERR(ctx);
645
646 uci_expand_ptr(ctx, ptr, false);
647 UCI_ASSERT(ctx, ptr->s);
648 UCI_ASSERT(ctx, ptr->value);
649
650 if (!(ptr->o && ptr->option))
651 return 0;
652
653 if ((ptr->o->type != UCI_TYPE_LIST))
654 return 0;
655
656 p = ptr->p;
657 if (!internal && p->has_delta)
658 uci_add_delta(ctx, &p->delta, UCI_CMD_LIST_DEL, ptr->section, ptr->option, ptr->value);
659
660 uci_foreach_element_safe(&ptr->o->v.list, tmp, e) {
661 if (!strcmp(ptr->value, uci_to_option(e)->e.name)) {
662 uci_free_option(uci_to_option(e));
663 }
664 }
665
666 return 0;
667 }
668
669 int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
670 {
671 /* NB: UCI_INTERNAL use means without delta tracking */
672 bool internal = ctx && ctx->internal;
673
674 UCI_HANDLE_ERR(ctx);
675 uci_expand_ptr(ctx, ptr, false);
676 UCI_ASSERT(ctx, ptr->value);
677 UCI_ASSERT(ctx, ptr->s || (!ptr->option && ptr->section));
678 if (!ptr->option && ptr->value[0]) {
679 UCI_ASSERT(ctx, uci_validate_type(ptr->value));
680 }
681
682 if (!ptr->o && ptr->s && ptr->option) {
683 struct uci_element *e;
684 e = uci_lookup_list(&ptr->s->options, ptr->option);
685 if (e)
686 ptr->o = uci_to_option(e);
687 }
688 if (!ptr->value[0]) {
689 /* if setting a nonexistant option/section to a nonexistant value,
690 * exit without errors */
691 if (!(ptr->flags & UCI_LOOKUP_COMPLETE))
692 return 0;
693
694 return uci_delete(ctx, ptr);
695 } else if (!ptr->o && ptr->option) { /* new option */
696 ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
697 ptr->last = &ptr->o->e;
698 } else if (!ptr->s && ptr->section) { /* new section */
699 ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
700 ptr->last = &ptr->s->e;
701 } else if (ptr->o && ptr->option) { /* update option */
702 struct uci_option *o;
703
704 if ((ptr->o->type == UCI_TYPE_STRING) &&
705 !strcmp(ptr->o->v.string, ptr->value))
706 return 0;
707
708 o = ptr->o;
709 ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
710 uci_free_option(o);
711 ptr->last = &ptr->o->e;
712 } else if (ptr->s && ptr->section) { /* update section */
713 char *s = uci_strdup(ctx, ptr->value);
714
715 if (ptr->s->type == uci_dataptr(ptr->s)) {
716 ptr->last = NULL;
717 ptr->last = uci_realloc(ctx, ptr->s, sizeof(struct uci_section));
718 ptr->s = uci_to_section(ptr->last);
719 uci_list_fixup(&ptr->s->e.list);
720 } else {
721 free(ptr->s->type);
722 }
723 ptr->s->type = s;
724 } else {
725 UCI_THROW(ctx, UCI_ERR_INVAL);
726 }
727
728 if (!internal && ptr->p->has_delta)
729 uci_add_delta(ctx, &ptr->p->delta, UCI_CMD_CHANGE, ptr->section, ptr->option, ptr->value);
730
731 return 0;
732 }
733
734 int uci_unload(struct uci_context *ctx, struct uci_package *p)
735 {
736 UCI_HANDLE_ERR(ctx);
737 UCI_ASSERT(ctx, p != NULL);
738
739 uci_free_package(&p);
740 return 0;
741 }
742
OpenWrt Unified Configuration Interface