From: Jan Venekamp <jan@venekamp.net>
Date: Sun, 20 Nov 2022 01:08:20 +0000 (+0100)
Subject: uci: fix use-after-free uci_set on update option
X-Git-Url: http://git.cdn.openwrt.org/?a=commitdiff_plain;h=9b6605ec4c3ad6a6e5b6964b02a28d171a5802b5;p=project%2Fuci.git

uci: fix use-after-free uci_set on update option

When uci_set is called with ptr->o set and ptr->option = NULL,
then in uci_expand_ptr ptr->option is set to ptr->o->e.name.
This will result in use-after-free because ptr->option is used in
the call to uci_add_delta after uci_free_option(ptr->o).

Signed-off-by: Jan Venekamp <jan@venekamp.net>
---

diff --git a/list.c b/list.c
index 24ed2ee..ac3686c 100644
--- a/list.c
+++ b/list.c
@@ -725,15 +725,16 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
 		ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
 		ptr->last = &ptr->s->e;
 	} else if (ptr->o && ptr->option) { /* update option */
-		struct uci_option *o;
+		struct uci_option *old = ptr->o;
 
 		if ((ptr->o->type == UCI_TYPE_STRING) &&
 			!strcmp(ptr->o->v.string, ptr->value))
 			return 0;
 
-		o = ptr->o;
 		ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
-		uci_free_option(o);
+		if (ptr->option == old->e.name)
+			ptr->option = ptr->o->e.name;
+		uci_free_option(old);
 		ptr->last = &ptr->o->e;
 	} else if (ptr->s && ptr->section) { /* update section */
 		char *s = uci_strdup(ctx, ptr->value);