uci: manually clear uci_ptr flags after uci_delete() operations

This is required to avoid potential use-after-free errors through the
uci_set()->uci_delete()->uci_expand_ptr() call chain when passing
zero-length strings as values.

Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3528
Suggested-by: olegio170 <olegios170@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/uci.c b/uci.c
index 327b17fcec6d80bc152bdfc1f7bc06925a0c22af..e2394334134482ec4da993ede5e0334d8d32b14d 100644 (file)
--- a/uci.c
+++ b/uci.c
@@ -831,8 +831,10 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
 
        if (blobmsg_type(opt) == BLOBMSG_TYPE_ARRAY)
        {
-               if (ptr->o)
+               if (ptr->o) {
                        uci_delete(cursor, ptr);
+                       ptr->flags = 0;
+               }
 
                rv = UBUS_STATUS_INVALID_ARGUMENT;
 
@@ -850,6 +852,7 @@ rpc_uci_merge_set(struct blob_attr *opt, struct uci_ptr *ptr)
        else if (ptr->o && ptr->o->type == UCI_TYPE_LIST)
        {
                uci_delete(cursor, ptr);
+               ptr->flags = 0;
 
                if (!rpc_uci_format_blob(opt, &ptr->value))
                        return UBUS_STATUS_INVALID_ARGUMENT;
@@ -981,6 +984,7 @@ rpc_uci_merge_delete(struct blob_attr *opt, struct uci_ptr *ptr)
                                continue;
 
                        uci_delete(cursor, ptr);
+                       ptr->flags = 0;
                        rv = 0;
                }