uci: fix a potential use-after-free in uci_set()

When calling uci_set() to update an option, if ptr->o != NULL and
ptr->option == NULL, then uci_expand_ptr() will set ptr->option to
ptr->o->e.name (or the caller could set ptr->option to that value). In
this case, the option will be freed just before calling
uci_alloc_option() with ptr->option, which was just freed.

Signed-off-by: Jordan Miner <jminer7@gmail.com>
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>

diff --git a/list.c b/list.c
index abb202f97764eb50af932e5ef5fbe5e548fb6d2c..25aec56fb31afde8bcc1526fe070ad7574c4b4cc 100644 (file)
--- a/list.c
+++ b/list.c
@@ -699,11 +699,15 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
                ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
                ptr->last = &ptr->s->e;
        } else if (ptr->o && ptr->option) { /* update option */
+               struct uci_option *o;
+
                if ((ptr->o->type == UCI_TYPE_STRING) &&
                        !strcmp(ptr->o->v.string, ptr->value))
                        return 0;
-               uci_free_option(ptr->o);
+
+               o = ptr->o;
                ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
+               uci_free_option(o);
                ptr->last = &ptr->o->e;
        } else if (ptr->s && ptr->section) { /* update section */
                char *s = uci_strdup(ctx, ptr->value);