From 64f8c21e5a670053ab9e4719cedbb2d963634c0c Mon Sep 17 00:00:00 2001
From: John Crispin <blogic@openwrt.org>
Date: Tue, 3 Sep 2013 19:36:43 +0200
Subject: fix use after free bug in the trigger handling code

Signed-off-by: John Crispin <blogic@openwrt.org>
---
 instance.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'instance.c')

diff --git a/instance.c b/instance.c
index 45706ba..c25c859 100644
--- a/instance.c
+++ b/instance.c
@@ -317,10 +317,14 @@ instance_config_parse(struct service_instance *in)
 		return false;
 
 	in->command = cur;
-	in->trigger = tb[INSTANCE_ATTR_TRIGGER];
 
-	if (in->trigger)
+	if (tb[INSTANCE_ATTR_TRIGGER]) {
+		in->trigger = malloc(blob_len(tb[INSTANCE_ATTR_TRIGGER]));
+		if (!in->trigger)
+			return -1;
+		memcpy(in->trigger, tb[INSTANCE_ATTR_TRIGGER], blob_len(tb[INSTANCE_ATTR_TRIGGER]));
 		trigger_add(in->trigger, in);
+	}
 
 	if ((cur = tb[INSTANCE_ATTR_NICE])) {
 		in->nice = (int8_t) blobmsg_get_u32(cur);
@@ -395,6 +399,7 @@ instance_free(struct service_instance *in)
 	uloop_process_delete(&in->proc);
 	uloop_timeout_cancel(&in->timeout);
 	trigger_del(in);
+	free(in->trigger);
 	instance_config_cleanup(in);
 	free(in->config);
 	free(in);
-- 
cgit v1.2.3