This is required to avoid potential use-after-free errors through the
uci_set()->uci_delete()->uci_expand_ptr() call chain when passing
zero-length strings as values.
Ref: https://bugs.openwrt.org/index.php?do=details&task_id=3528
Suggested-by: olegio170 <olegios170@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
if (blobmsg_type(opt) == BLOBMSG_TYPE_ARRAY)
{
- if (ptr->o)
+ if (ptr->o) {
uci_delete(cursor, ptr);
+ ptr->flags = 0;
+ }
rv = UBUS_STATUS_INVALID_ARGUMENT;
else if (ptr->o && ptr->o->type == UCI_TYPE_LIST)
{
uci_delete(cursor, ptr);
+ ptr->flags = 0;
if (!rpc_uci_format_blob(opt, &ptr->value))
return UBUS_STATUS_INVALID_ARGUMENT;
continue;
uci_delete(cursor, ptr);
+ ptr->flags = 0;
rv = 0;
}