projects
/
project
/
uci.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
uci: fix a potential use-after-free in uci_set()
[project/uci.git]
/
list.c
diff --git
a/list.c
b/list.c
index
f3a9ed6
..
25aec56
100644
(file)
--- a/
list.c
+++ b/
list.c
@@
-12,8
+12,9
@@
* GNU Lesser General Public License for more details.
*/
* GNU Lesser General Public License for more details.
*/
-static
void
uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int pos)
+static
bool
uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int pos)
{
{
+ struct uci_list *old_head = ptr->prev;
struct uci_list *new_head = head;
struct uci_element *p = NULL;
struct uci_list *new_head = head;
struct uci_element *p = NULL;
@@
-25,6
+26,8
@@
static void uci_list_set_pos(struct uci_list *head, struct uci_list *ptr, int po
}
uci_list_add(new_head->next, ptr);
}
uci_list_add(new_head->next, ptr);
+
+ return (old_head != new_head);
}
static inline void uci_list_fixup(struct uci_list *ptr)
}
static inline void uci_list_fixup(struct uci_list *ptr)
@@
-33,7
+36,7
@@
static inline void uci_list_fixup(struct uci_list *ptr)
ptr->next->prev = ptr;
}
ptr->next->prev = ptr;
}
-/*
+/*
* uci_alloc_generic allocates a new uci_element with payload
* payload is appended to the struct to save memory and reduce fragmentation
*/
* uci_alloc_generic allocates a new uci_element with payload
* payload is appended to the struct to save memory and reduce fragmentation
*/
@@
-66,8
+69,7
@@
done:
__private void
uci_free_element(struct uci_element *e)
{
__private void
uci_free_element(struct uci_element *e)
{
- if (e->name)
- free(e->name);
+ free(e->name);
if (!uci_list_empty(&e->list))
uci_list_del(&e->list);
free(e);
if (!uci_list_empty(&e->list))
uci_list_del(&e->list);
free(e);
@@
-145,7
+147,7
@@
static unsigned int djbhash(unsigned int hash, char *str)
}
/* fix up an unnamed section, e.g. after adding options to it */
}
/* fix up an unnamed section, e.g. after adding options to it */
-
__private
void uci_fixup_section(struct uci_context *ctx, struct uci_section *s)
+
static
void uci_fixup_section(struct uci_context *ctx, struct uci_section *s)
{
unsigned int hash = ~0;
struct uci_element *e;
{
unsigned int hash = ~0;
struct uci_element *e;
@@
-176,7
+178,7
@@
__private void uci_fixup_section(struct uci_context *ctx, struct uci_section *s)
break;
}
}
break;
}
}
- sprintf(buf, "cfg%02x%04x",
++
s->package->n_section, hash % (1 << 16));
+ sprintf(buf, "cfg%02x%04x", s->package->n_section, hash % (1 << 16));
s->e.name = uci_strdup(ctx, buf);
}
s->e.name = uci_strdup(ctx, buf);
}
@@
-239,8
+241,7
@@
uci_free_package(struct uci_package **package)
if(!p)
return;
if(!p)
return;
- if (p->path)
- free(p->path);
+ free(p->path);
uci_foreach_element_safe(&p->sections, tmp, e) {
uci_free_section(uci_to_section(e));
}
uci_foreach_element_safe(&p->sections, tmp, e) {
uci_free_section(uci_to_section(e));
}
@@
-320,7
+321,7
@@
uci_lookup_ext_section(struct uci_context *ctx, struct uci_ptr *ptr)
else if (!uci_validate_type(name))
goto error;
else if (!uci_validate_type(name))
goto error;
- /* if the given index is negative, it specifies the section number from
+ /* if the given index is negative, it specifies the section number from
* the end of the list */
if (idx < 0) {
c = 0;
* the end of the list */
if (idx < 0) {
c = 0;
@@
-348,7
+349,7
@@
uci_lookup_ext_section(struct uci_context *ctx, struct uci_ptr *ptr)
goto done;
error:
goto done;
error:
-
e = NULL
;
+
free(section)
;
memset(ptr, 0, sizeof(struct uci_ptr));
UCI_THROW(ctx, UCI_ERR_INVAL);
done:
memset(ptr, 0, sizeof(struct uci_ptr));
UCI_THROW(ctx, UCI_ERR_INVAL);
done:
@@
-433,11
+434,12
@@
uci_lookup_ptr(struct uci_context *ctx, struct uci_ptr *ptr, char *str, bool ext
complete:
ptr->flags |= UCI_LOOKUP_COMPLETE;
abort:
complete:
ptr->flags |= UCI_LOOKUP_COMPLETE;
abort:
- return
0
;
+ return
UCI_OK
;
notfound:
UCI_THROW(ctx, UCI_ERR_NOTFOUND);
notfound:
UCI_THROW(ctx, UCI_ERR_NOTFOUND);
- return 0;
+ /* not a chance here */
+ return UCI_ERR_NOTFOUND;
}
__private struct uci_element *
}
__private struct uci_element *
@@
-502,8
+504,7
@@
int uci_rename(struct uci_context *ctx, struct uci_ptr *ptr)
uci_add_delta(ctx, &p->delta, UCI_CMD_RENAME, ptr->section, ptr->option, ptr->value);
n = uci_strdup(ctx, ptr->value);
uci_add_delta(ctx, &p->delta, UCI_CMD_RENAME, ptr->section, ptr->option, ptr->value);
n = uci_strdup(ctx, ptr->value);
- if (e->name)
- free(e->name);
+ free(e->name);
e->name = n;
if (e->type == UCI_TYPE_SECTION)
e->name = n;
if (e->type == UCI_TYPE_SECTION)
@@
-515,12
+516,14
@@
int uci_rename(struct uci_context *ctx, struct uci_ptr *ptr)
int uci_reorder_section(struct uci_context *ctx, struct uci_section *s, int pos)
{
struct uci_package *p = s->package;
int uci_reorder_section(struct uci_context *ctx, struct uci_section *s, int pos)
{
struct uci_package *p = s->package;
+ bool internal = ctx && ctx->internal;
+ bool changed = false;
char order[32];
UCI_HANDLE_ERR(ctx);
char order[32];
UCI_HANDLE_ERR(ctx);
- uci_list_set_pos(&s->package->sections, &s->e.list, pos);
- if (!
ctx->internal && p->has_delta
) {
+
changed =
uci_list_set_pos(&s->package->sections, &s->e.list, pos);
+ if (!
internal && p->has_delta && changed
) {
sprintf(order, "%d", pos);
uci_add_delta(ctx, &p->delta, UCI_CMD_REORDER, s->e.name, NULL, order);
}
sprintf(order, "%d", pos);
uci_add_delta(ctx, &p->delta, UCI_CMD_REORDER, s->e.name, NULL, order);
}
@@
-536,7
+539,8
@@
int uci_add_section(struct uci_context *ctx, struct uci_package *p, const char *
UCI_HANDLE_ERR(ctx);
UCI_ASSERT(ctx, p != NULL);
s = uci_alloc_section(p, type, NULL);
UCI_HANDLE_ERR(ctx);
UCI_ASSERT(ctx, p != NULL);
s = uci_alloc_section(p, type, NULL);
- uci_fixup_section(ctx, s);
+ if (s && s->anonymous)
+ uci_fixup_section(ctx, s);
*res = s;
if (!internal && p->has_delta)
uci_add_delta(ctx, &p->delta, UCI_CMD_ADD, s->e.name, NULL, type);
*res = s;
if (!internal && p->has_delta)
uci_add_delta(ctx, &p->delta, UCI_CMD_ADD, s->e.name, NULL, type);
@@
-559,7
+563,7
@@
int uci_delete(struct uci_context *ctx, struct uci_ptr *ptr)
UCI_ASSERT(ctx, ptr->s);
UCI_ASSERT(ctx, ptr->s);
- if (ptr->
value && *ptr->value && ptr->o && ptr->o->type == UCI_TYPE_LIST
) {
+ if (ptr->
o && ptr->o->type == UCI_TYPE_LIST && ptr->value && *ptr->value
) {
if (!sscanf(ptr->value, "%d", &index))
return 1;
if (!sscanf(ptr->value, "%d", &index))
return 1;
@@
-695,11
+699,15
@@
int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
ptr->last = &ptr->s->e;
} else if (ptr->o && ptr->option) { /* update option */
ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section);
ptr->last = &ptr->s->e;
} else if (ptr->o && ptr->option) { /* update option */
+ struct uci_option *o;
+
if ((ptr->o->type == UCI_TYPE_STRING) &&
!strcmp(ptr->o->v.string, ptr->value))
return 0;
if ((ptr->o->type == UCI_TYPE_STRING) &&
!strcmp(ptr->o->v.string, ptr->value))
return 0;
- uci_free_option(ptr->o);
+
+ o = ptr->o;
ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
+ uci_free_option(o);
ptr->last = &ptr->o->e;
} else if (ptr->s && ptr->section) { /* update section */
char *s = uci_strdup(ctx, ptr->value);
ptr->last = &ptr->o->e;
} else if (ptr->s && ptr->section) { /* update section */
char *s = uci_strdup(ctx, ptr->value);