From: Jan Venekamp Date: Sun, 20 Nov 2022 01:08:23 +0000 (+0100) Subject: uci: fix use-after-free uci_add_list X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=47697e6579be2c9f4cfc51eec1d35d453c3c7c5e;p=project%2Fuci.git uci: fix use-after-free uci_add_list When uci_add_list is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. If ptr->o->type is UCI_TYPE_STRING then prev is set to ptr->o. This will result in use-after-free because ptr->option is used in the call to uci_add_delta in uci_add_element_list after uci_free_option(prev). Signed-off-by: Jan Venekamp --- diff --git a/list.c b/list.c index 5148dfd..ba099b6 100644 --- a/list.c +++ b/list.c @@ -652,6 +652,8 @@ int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr) ptr->o = uci_alloc_list(ptr->s, ptr->option); if (prev) { uci_add_element_list(ctx, ptr, true); + if (ptr->option == prev->e.name) + ptr->option = ptr->o->e.name; uci_free_option(prev); ptr->value = value2; }