uci: fix use-after-free uci_set on update option

When uci_set is called with ptr->o set and ptr->option = NULL,
then in uci_expand_ptr ptr->option is set to ptr->o->e.name.
This will result in use-after-free because ptr->option is used in
the call to uci_add_delta after uci_free_option(ptr->o).

Signed-off-by: Jan Venekamp <jan@venekamp.net>

diff --git a/list.c b/list.c
index 24ed2ee6ddf1fa84adf84acc11ab455086f83df9..ac3686cf9bf0050e38f08faac0ee3973e62c66f5 100644 (file)
--- a/list.c
+++ b/list.c
@@ -725,15 +725,16 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
                ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
                ptr->last = &ptr->s->e;
        } else if (ptr->o && ptr->option) { /* update option */
-               struct uci_option *o;
+               struct uci_option *old = ptr->o;
 
                if ((ptr->o->type == UCI_TYPE_STRING) &&
                        !strcmp(ptr->o->v.string, ptr->value))
                        return 0;
 
-               o = ptr->o;
                ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
-               uci_free_option(o);
+               if (ptr->option == old->e.name)
+                       ptr->option = ptr->o->e.name;
+               uci_free_option(old);
                ptr->last = &ptr->o->e;
        } else if (ptr->s && ptr->section) { /* update section */
                char *s = uci_strdup(ctx, ptr->value);