uci: fix use-after-free uci_add_list

When uci_add_list is called with ptr->o set and ptr->option = NULL,
then in uci_expand_ptr ptr->option is set to ptr->o->e.name.
If ptr->o->type is UCI_TYPE_STRING then prev is set to ptr->o.
This will result in use-after-free because ptr->option is used in
the call to uci_add_delta in uci_add_element_list after
uci_free_option(prev).

Signed-off-by: Jan Venekamp <jan@venekamp.net>

diff --git a/list.c b/list.c
index 5148dfd939ee7451a42a46b0fc730999eff39288..ba099b646bc1a8c646490a25c08104cd9667c808 100644 (file)
--- a/list.c
+++ b/list.c
@@ -652,6 +652,8 @@ int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr)
        ptr->o = uci_alloc_list(ptr->s, ptr->option);
        if (prev) {
                uci_add_element_list(ctx, ptr, true);
+               if (ptr->option == prev->e.name)
+                       ptr->option = ptr->o->e.name;
                uci_free_option(prev);
                ptr->value = value2;
        }