From 2af71375f7a03d78dc9e3e4155e59e51f17a8327 Mon Sep 17 00:00:00 2001
From: Hans Dedecker <dedeckeh@gmail.com>
Date: Thu, 12 Feb 2015 17:41:16 +0100
Subject: [PATCH] netifd: Keep reference to a config copy in device type
 specific reload handler as the original config pointer might go stale

Fixes random observed crashes in blobmsg_parse when device type specific
config data is parsed.

Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
---
 bridge.c  | 3 +++
 macvlan.c | 3 +++
 vlandev.c | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/bridge.c b/bridge.c
index f8478ad..7076fd7 100644
--- a/bridge.c
+++ b/bridge.c
@@ -491,6 +491,7 @@ bridge_free(struct device *dev)
 
 	bst = container_of(dev, struct bridge_state, dev);
 	vlist_flush_all(&bst->members);
+	free(bst->config_data);
 	free(bst);
 }
 
@@ -594,6 +595,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
 	BUILD_BUG_ON(sizeof(diff) < __DEV_ATTR_MAX / 8);
 
 	bst = container_of(dev, struct bridge_state, dev);
+	attr = blob_memdup(attr);
 
 	blobmsg_parse(device_attr_list.params, __DEV_ATTR_MAX, tb_dev,
 		blob_data(attr), blob_len(attr));
@@ -627,6 +629,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
 		bridge_config_init(dev);
 	}
 
+	free(bst->config_data);
 	bst->config_data = attr;
 	return ret;
 }
diff --git a/macvlan.c b/macvlan.c
index 019a7ff..051fe05 100644
--- a/macvlan.c
+++ b/macvlan.c
@@ -140,6 +140,7 @@ macvlan_free(struct device *dev)
 
 	mvdev = container_of(dev, struct macvlan_device, dev);
 	device_remove_user(&mvdev->parent);
+	free(mvdev->config_data);
 	free(mvdev);
 }
 
@@ -197,6 +198,7 @@ macvlan_reload(struct device *dev, struct blob_attr *attr)
 	struct macvlan_device *mvdev;
 
 	mvdev = container_of(dev, struct macvlan_device, dev);
+	attr = blob_memdup(attr);
 
 	blobmsg_parse(device_attr_list.params, __DEV_ATTR_MAX, tb_dev,
 		blob_data(attr), blob_len(attr));
@@ -226,6 +228,7 @@ macvlan_reload(struct device *dev, struct blob_attr *attr)
 		macvlan_config_init(dev);
 	}
 
+	free(mvdev->config_data);
 	mvdev->config_data = attr;
 	return ret;
 }
diff --git a/vlandev.c b/vlandev.c
index 7b2038e..884e6ef 100644
--- a/vlandev.c
+++ b/vlandev.c
@@ -131,6 +131,7 @@ vlandev_free(struct device *dev)
 
 	mvdev = container_of(dev, struct vlandev_device, dev);
 	device_remove_user(&mvdev->parent);
+	free(mvdev->config_data);
 	free(mvdev);
 }
 
@@ -185,6 +186,7 @@ vlandev_reload(struct device *dev, struct blob_attr *attr)
 	struct vlandev_device *mvdev;
 
 	mvdev = container_of(dev, struct vlandev_device, dev);
+	attr = blob_memdup(attr);
 
 	blobmsg_parse(device_attr_list.params, __DEV_ATTR_MAX, tb_dev,
 		blob_data(attr), blob_len(attr));
@@ -214,6 +216,7 @@ vlandev_reload(struct device *dev, struct blob_attr *attr)
 		vlandev_config_init(dev);
 	}
 
+	free(mvdev->config_data);
 	mvdev->config_data = attr;
 	return ret;
 }
-- 
2.11.0