From 64f8c21e5a670053ab9e4719cedbb2d963634c0c Mon Sep 17 00:00:00 2001
From: John Crispin <blogic@openwrt.org>
Date: Tue, 3 Sep 2013 19:36:43 +0200
Subject: fix use after free bug in the trigger handling code

Signed-off-by: John Crispin <blogic@openwrt.org>
---
 service.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'service.c')

diff --git a/service.c b/service.c
index e485c53..158e096 100644
--- a/service.c
+++ b/service.c
@@ -101,11 +101,17 @@ service_update(struct service *s, struct blob_attr *config, struct blob_attr **t
 	struct blob_attr *cur;
 	int rem;
 
-	if (s->trigger)
+	if (s->trigger) {
 		trigger_del(s);
+		free(s->trigger);
+		s->trigger = NULL;
+	}
 
 	if (tb[SERVICE_SET_TRIGGER] && blobmsg_data_len(tb[SERVICE_SET_TRIGGER])) {
-		s->trigger = tb[SERVICE_SET_TRIGGER];
+		s->trigger = malloc(blob_len(tb[SERVICE_SET_TRIGGER]));
+		if (!s->trigger)
+			return -1;
+		memcpy(s->trigger, tb[SERVICE_SET_TRIGGER], blob_len(tb[SERVICE_SET_TRIGGER]));
 		trigger_add(s->trigger, s);
 	}
 
@@ -128,6 +134,8 @@ service_delete(struct service *s)
 	vlist_flush_all(&s->instances);
 	avl_delete(&services, &s->avl);
 	trigger_del(s);
+	s->trigger = NULL;
+	free(s->trigger);
 	free(s->config);
 	free(s);
 }
-- 
cgit v1.2.3