From aa5e77a13d955ac9b497efc015c957c475734f0d Mon Sep 17 00:00:00 2001 From: Luka Koznjak Date: Wed, 4 Dec 2019 21:35:10 +0100 Subject: [PATCH] file: fix segfault in uci_parse_config MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Fixed a segmentation fault caused by using a pointer to a reallocated address. The name pointer in the uci_parse_config function becomes invalid if assert_eol calls uci_realloc down the line, resulting in a segmentation fault when attempting to dereference name. A simple fix is to call assert_eol before retrieving the actual address for the name and type pointers. The segmentation fault has been found while fuzzing the uci configuration system for various types of different crashes and undefined behavious, which resulted in multiple different import files causing instability and sementation faults. Signed-off-by: Luka Kožnjak Signed-off-by: Juraj Vijtiuk CC: Luka Perkov --- file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/file.c b/file.c index f5032bd..3cd7702 100644 --- a/file.c +++ b/file.c @@ -425,9 +425,9 @@ static void uci_parse_config(struct uci_context *ctx) uci_parse_error(ctx, "invalid character in type field"); ofs_name = next_arg(ctx, false, true, false); + assert_eol(ctx); type = pctx_str(pctx, ofs_type); name = pctx_str(pctx, ofs_name); - assert_eol(ctx); if (!name || !name[0]) { ctx->internal = !pctx->merge; -- 2.30.2