projects
/
project
/
uci.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
uci: fix a potential use-after-free in uci_set()
[project/uci.git]
/
list.c
diff --git
a/list.c
b/list.c
index
e78012b
..
25aec56
100644
(file)
--- a/
list.c
+++ b/
list.c
@@
-12,8
+12,9
@@
* GNU Lesser General Public License for more details.
*/
* GNU Lesser General Public License for more details.
*/
-static
void
uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int pos)
+static
bool
uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int pos)
{
{
+ struct uci_list *old_head = ptr->prev;
struct uci_list *new_head = head;
struct uci_element *p = NULL;
struct uci_list *new_head = head;
struct uci_element *p = NULL;
@@
-25,6
+26,8
@@
static void uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int po
}
uci_list_add(new_head->next, ptr);
}
uci_list_add(new_head->next, ptr);
+
+ return (old_head != new_head);
}
static inline void uci_list_fixup(struct uci_list *ptr)
}
static inline void uci_list_fixup(struct uci_list *ptr)
@@
-175,7
+178,7
@@
static void uci_fixup_section(struct uci_context *ctx, struct uci_section *s)
break;
}
}
break;
}
}
- sprintf(buf, "cfg%02x%04x",
++
s->package->n_section, hash % (1 << 16));
+ sprintf(buf, "cfg%02x%04x", s->package->n_section, hash % (1 << 16));
s->e.name = uci_strdup(ctx, buf);
}
s->e.name = uci_strdup(ctx, buf);
}
@@
-514,12
+517,13
@@
int uci_reorder_section(struct uci_context *ctx, struct uci_section *s, int pos)
{
struct uci_package *p = s->package;
bool internal = ctx && ctx->internal;
{
struct uci_package *p = s->package;
bool internal = ctx && ctx->internal;
+ bool changed = false;
char order[32];
UCI_HANDLE_ERR(ctx);
char order[32];
UCI_HANDLE_ERR(ctx);
- uci_list_set_pos(&s->package->sections, &s->e.list, pos);
- if (!internal && p->has_delta) {
+
changed =
uci_list_set_pos(&s->package->sections, &s->e.list, pos);
+ if (!internal && p->has_delta
&& changed
) {
sprintf(order, "%d", pos);
uci_add_delta(ctx, &p->delta, UCI_CMD_REORDER, s->e.name, NULL, order);
}
sprintf(order, "%d", pos);
uci_add_delta(ctx, &p->delta, UCI_CMD_REORDER, s->e.name, NULL, order);
}
@@
-695,11
+699,15
@@
int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
ptr->last = &ptr->s->e;
} else if (ptr->o && ptr->option) { /* update option */
ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
ptr->last = &ptr->s->e;
} else if (ptr->o && ptr->option) { /* update option */
+ struct uci_option *o;
+
if ((ptr->o->type == UCI_TYPE_STRING) &&
!strcmp(ptr->o->v.string, ptr->value))
return 0;
if ((ptr->o->type == UCI_TYPE_STRING) &&
!strcmp(ptr->o->v.string, ptr->value))
return 0;
- uci_free_option(ptr->o);
+
+ o = ptr->o;
ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
+ uci_free_option(o);
ptr->last = &ptr->o->e;
} else if (ptr->s && ptr->section) { /* update section */
char *s = uci_strdup(ctx, ptr->value);
ptr->last = &ptr->o->e;
} else if (ptr->s && ptr->section) { /* update section */
char *s = uci_strdup(ctx, ptr->value);