ucimap: fix use-after-free on cleanup (patch by Stanislav Fomichev)

[project/uci.git] / ucimap.c

diff --git a/ucimap.c b/ucimap.c
index 7c4fb02..16ce56a 100644 (file)
--- a/ucimap.c
+++ b/ucimap.c
@@ -9,7 +9,7 @@
  * This program is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
+ * GNU Lesser General Public License for more details.
  */
 
 /*
@@ -162,9 +162,10 @@ ucimap_free_section(struct uci_map *map, struct ucimap_section_data *sd)
 void
 ucimap_cleanup(struct uci_map *map)
 {
-       struct ucimap_section_data *sd;
+       struct ucimap_section_data *sd, *sd_next;
 
-       for (sd = map->sdata; sd; sd = sd->next) {
+       for (sd = map->sdata; sd; sd = sd_next) {
+               sd_next = sd->next;
                ucimap_free_section(map, sd);
        }
 }
@@ -207,7 +208,6 @@ static bool
 ucimap_handle_fixup(struct uci_map *map, struct ucimap_fixup *f)
 {
        void *ptr = ucimap_find_section(map, f);
-       struct ucimap_list *list;
        union ucimap_data *data;
 
        if (!ptr)
@@ -218,7 +218,6 @@ ucimap_handle_fixup(struct uci_map *map, struct ucimap_fixup *f)
                f->data->ptr = ptr;
                break;
        case UCIMAP_LIST:
-               list = f->data->list;
                data = ucimap_list_append(f->data->list);
                if (!data)
                        return false;