[OpenWrt-Devel] [PATCH] file: fix segfault in uci_parse_option

Luka Kožnjak luka.koznjak at sartura.hr
Sat Dec 28 14:30:53 EST 2019

Fix a segmentation fault caused by using a pointer to a reallocated
address. The name pointer in the uci_parse_option function
becomes invalid if assert_eol calls uci_realloc down the line,
resulting in a segmentation fault when attempting to dereference
name in a strcmp check in uci_lookup_list. A simple fix is
to call assert_eol before retrieving the actual address for
the name and type pointers.

The segmentation fault has been found while fuzzing the
uci configuration system for various types of different crashes
and undefined behaviors, which resulted in multiple different
import files causing instability and segmentation faults.

Signed-off-by: Luka Kožnjak <luka.koznjak at sartura.hr>
Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk at sartura.hr>
CC: Luka Perkov <luka.perkov at sartura.hr>
 file.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/file.c b/file.c
index 3cd7702..3ac49c6 100644
--- a/file.c
+++ b/file.c
@@ -471,9 +471,9 @@ static void uci_parse_option(struct uci_context *ctx, bool list)
 	ofs_name = next_arg(ctx, true, true, false);
 	ofs_value = next_arg(ctx, false, false, false);
+	assert_eol(ctx);
 	name = pctx_str(pctx, ofs_name);
 	value = pctx_str(pctx, ofs_value);
-	assert_eol(ctx);
 	uci_fill_ptr(ctx, &ptr, &pctx->section->e);
 	e = uci_lookup_list(&pctx->section->options, name);

openwrt-devel mailing list
openwrt-devel at lists.openwrt.org

More information about the openwrt-devel mailing list