[OpenWrt-Devel] [PATCH 2/3] netifd: Keep reference to a config copy in device type specific reload handler as the original config pointer might go stale

Hans Dedecker dedeckeh at gmail.com
Thu Feb 12 11:41:16 EST 2015 

Fixes random observed crashes in blobmsg_parse when device type specific
config data is parsed.

Signed-off-by: Hans Dedecker <dedeckeh at gmail.com>
---
 bridge.c  | 3 +++
 macvlan.c | 3 +++
 vlandev.c | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/bridge.c b/bridge.c
index f8478ad..7076fd7 100644
--- a/bridge.c
+++ b/bridge.c
@@ -491,6 +491,7 @@ bridge_free(struct device *dev)
 
 	bst = container_of(dev, struct bridge_state, dev);
 	vlist_flush_all(&bst->members);
+	free(bst->config_data);
 	free(bst);
 }
 
@@ -594,6 +595,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
 	BUILD_BUG_ON(sizeof(diff) < __DEV_ATTR_MAX / 8);
 
 	bst = container_of(dev, struct bridge_state, dev);
+	attr = blob_memdup(attr);
 
 	blobmsg_parse(device_attr_list.params, __DEV_ATTR_MAX, tb_dev,
 		blob_data(attr), blob_len(attr));
@@ -627,6 +629,7 @@ bridge_reload(struct device *dev, struct blob_attr *attr)
 		bridge_config_init(dev);
 	}
 
+	free(bst->config_data);
 	bst->config_data = attr;
 	return ret;
 }
diff --git a/macvlan.c b/macvlan.c
index 019a7ff..051fe05 100644
--- a/macvlan.c
+++ b/macvlan.c
@@ -140,6 +140,7 @@ macvlan_free(struct device *dev)
 
 	mvdev = container_of(dev, struct macvlan_device, dev);
 	device_remove_user(&mvdev->parent);
+	free(mvdev->config_data);
 	free(mvdev);
 }
 
@@ -197,6 +198,7 @@ macvlan_reload(struct device *dev, struct blob_attr *attr)
 	struct macvlan_device *mvdev;
 
 	mvdev = container_of(dev, struct macvlan_device, dev);
+	attr = blob_memdup(attr);
 
 	blobmsg_parse(device_attr_list.params, __DEV_ATTR_MAX, tb_dev,
 		blob_data(attr), blob_len(attr));
@@ -226,6 +228,7 @@ macvlan_reload(struct device *dev, struct blob_attr *attr)
 		macvlan_config_init(dev);
 	}
 
+	free(mvdev->config_data);
 	mvdev->config_data = attr;
 	return ret;
 }
diff --git a/vlandev.c b/vlandev.c
index 7b2038e..884e6ef 100644
--- a/vlandev.c
+++ b/vlandev.c
@@ -131,6 +131,7 @@ vlandev_free(struct device *dev)
 
 	mvdev = container_of(dev, struct vlandev_device, dev);
 	device_remove_user(&mvdev->parent);
+	free(mvdev->config_data);
 	free(mvdev);
 }
 
@@ -185,6 +186,7 @@ vlandev_reload(struct device *dev, struct blob_attr *attr)
 	struct vlandev_device *mvdev;
 
 	mvdev = container_of(dev, struct vlandev_device, dev);
+	attr = blob_memdup(attr);
 
 	blobmsg_parse(device_attr_list.params, __DEV_ATTR_MAX, tb_dev,
 		blob_data(attr), blob_len(attr));
@@ -214,6 +216,7 @@ vlandev_reload(struct device *dev, struct blob_attr *attr)
 		vlandev_config_init(dev);
 	}
 
+	free(mvdev->config_data);
 	mvdev->config_data = attr;
 	return ret;
 }
-- 
1.9.1
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list