When calling uci_set() to update an option, if ptr->o != NULL and
ptr->option == NULL, then uci_expand_ptr() will set ptr->option to
ptr->o->e.name (or the caller could set ptr->option to that value). In
this case, the option will be freed just before calling
uci_alloc_option() with ptr->option, which was just freed.
Signed-off-by: Jordan Miner <jmin...@gmail.com>
---
list.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/list.c b/list.c
index 0347138..3c46a0b 100644
--- a/list.c
+++ b/list.c
@@ -666,6 +666,7 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
{
/* NB: UCI_INTERNAL use means without delta tracking */
bool internal = ctx && ctx->internal;
+ struct uci_option *o;
UCI_HANDLE_ERR(ctx);
uci_expand_ptr(ctx, ptr, false);
@@ -698,8 +699,9 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr)
if ((ptr->o->type == UCI_TYPE_STRING) &&
!strcmp(ptr->o->v.string, ptr->value))
return 0;
- uci_free_option(ptr->o);
+ o = ptr->o;
ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value);
+ uci_free_option(o);
ptr->last = &ptr->o->e;
} else if (ptr->s && ptr->section) { /* update section */
char *s = uci_strdup(ctx, ptr->value);
--
2.7.4
_______________________________________________
Lede-dev mailing list
Lede-dev@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/lede-dev
