summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohn Crispin <blogic@openwrt.org>2013-09-03 19:36:43 +0200
committerJohn Crispin <blogic@openwrt.org>2013-09-03 19:50:13 +0200
commit64f8c21e5a670053ab9e4719cedbb2d963634c0c (patch)
tree9f6c4abe1ca556463acfe8c710c04edf60d1c006
parent8555851160bcc5a04acfa8837af0977b82f7b500 (diff)
downloadunitd-64f8c21e5a670053ab9e4719cedbb2d963634c0c.tar
unitd-64f8c21e5a670053ab9e4719cedbb2d963634c0c.zip
fix use after free bug in the trigger handling code
Signed-off-by: John Crispin <blogic@openwrt.org>
Diffstat
-rw-r--r--instance.c9
-rw-r--r--service.c12
2 files changed, 17 insertions, 4 deletions
diff --git a/instance.c b/instance.c
index 45706ba..c25c859 100644
--- a/instance.c
+++ b/instance.c
@@ -317,10 +317,14 @@ instance_config_parse(struct service_instance *in)
return false;
in->command = cur;
- in->trigger = tb[INSTANCE_ATTR_TRIGGER];
- if (in->trigger)
+ if (tb[INSTANCE_ATTR_TRIGGER]) {
+ in->trigger = malloc(blob_len(tb[INSTANCE_ATTR_TRIGGER]));
+ if (!in->trigger)
+ return -1;
+ memcpy(in->trigger, tb[INSTANCE_ATTR_TRIGGER], blob_len(tb[INSTANCE_ATTR_TRIGGER]));
trigger_add(in->trigger, in);
+ }
if ((cur = tb[INSTANCE_ATTR_NICE])) {
in->nice = (int8_t) blobmsg_get_u32(cur);
@@ -395,6 +399,7 @@ instance_free(struct service_instance *in)
uloop_process_delete(&in->proc);
uloop_timeout_cancel(&in->timeout);
trigger_del(in);
+ free(in->trigger);
instance_config_cleanup(in);
free(in->config);
free(in);
diff --git a/service.c b/service.c
index e485c53..158e096 100644
--- a/service.c
+++ b/service.c
@@ -101,11 +101,17 @@ service_update(struct service *s, struct blob_attr *config, struct blob_attr **t
struct blob_attr *cur;
int rem;
- if (s->trigger)
+ if (s->trigger) {
trigger_del(s);
+ free(s->trigger);
+ s->trigger = NULL;
+ }
if (tb[SERVICE_SET_TRIGGER] && blobmsg_data_len(tb[SERVICE_SET_TRIGGER])) {
- s->trigger = tb[SERVICE_SET_TRIGGER];
+ s->trigger = malloc(blob_len(tb[SERVICE_SET_TRIGGER]));
+ if (!s->trigger)
+ return -1;
+ memcpy(s->trigger, tb[SERVICE_SET_TRIGGER], blob_len(tb[SERVICE_SET_TRIGGER]));
trigger_add(s->trigger, s);
}
@@ -128,6 +134,8 @@ service_delete(struct service *s)
vlist_flush_all(&s->instances);
avl_delete(&services, &s->avl);
trigger_del(s);
+ s->trigger = NULL;
+ free(s->trigger);
free(s->config);
free(s);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-21 21:07:24 +0100