[PATCH v2 0/9] uci: fixes for uci_set and uci_add_list

Jan Venekamp jan at venekamp.net
Sat Nov 19 17:08:19 PST 2022


When developing a C application that updates options with uci_set I
noticed that config files were not getting these updates. I found
that this was due to a use-after-free bug in uci_set.

Looking further at the code I also noticed some other issues. This
patch series contains fixes to these issues as well as some other
improvements.

Jan Venekamp (9):
  uci: fix use-after-free uci_set on update option
  uci: maintain option position in uci_set
  uci: optimize update option in uci_set
  uci: fix use-after-free uci_add_list
  uci: fix atomicity of uci_add_list
  uci: maintain option position in uci_add_list
  uci: fix memory leak uci_set on update section
  uci: optimize update section in uci_set
  uci: macro uci_alloc_element not in uci.h

 list.c                                | 168 ++++++++++++--------------
 tests/shunit2/tests.d/090_cli_options |   8 +-
 uci.h                                 |  10 --
 uci_internal.h                        |   3 +
 4 files changed, 87 insertions(+), 102 deletions(-)

Interdiff against v1:
diff --git a/list.c b/list.c
index 89c70f0..1640213 100644
--- a/list.c
+++ b/list.c
@@ -734,10 +734,10 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
 			strcpy(ptr->s->type, ptr->value);
 		} else {
 			struct uci_section *old = ptr->s;
-			ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section, &old->e.list);
+			ptr->s = uci_alloc_section(ptr->p, ptr->value, old->e.name, &old->e.list);
 			uci_section_transfer_options(ptr->s, old);
 			if (ptr->section == old->e.name)
-				ptr->section = ptr->o->e.name;
+				ptr->section = ptr->s->e.name;
 			uci_free_section(old);
 			ptr->s->package->n_section--;
 			ptr->last = &ptr->s->e;
-- 
2.32.0 (Apple Git-132)




More information about the openwrt-devel mailing list