projects / project / procd.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dafdf98)
service: fix use-after-free on service data update
authorJo-Philipp Wich <[email protected]>
Tue, 16 Sep 2025 15:12:14 +0000 (17:12 +0200)
committerJo-Philipp Wich <[email protected]>
Tue, 16 Sep 2025 15:12:14 +0000 (17:12 +0200)
When updating runtime data for service already having previous data, the
call to service_data_trigger() will indirectly access the just freed
`s->data` memory through the `s->data_blob` AVL structure.

Fix this issue by moving the call to `service_data_trigger()` before the
freeing of `s->data`.

Signed-off-by: Jo-Philipp Wich <[email protected]>
service/service.c patch | blob | history

diff --git a/service/service.c b/service/service.c
index 4070e74ec865105e2a953390bb10de3c3641072f..f8d9c4021c353e1e5609277aaca0315c36aad2f2 100644 (file)
--- a/service/service.c
+++ b/service/service.c
@@ -137,13 +137,14 @@ service_update_data(struct service *s, struct blob_attr *data)
        if (blob_attr_equal(s->data, data))
                return 0;
 
+       service_data_trigger(&s->data_blob);
+       blobmsg_list_free(&s->data_blob);
+
        free(s->data);
        s->data = blob_memdup(data);
        if (!s->data)
                return -1;
 
-       service_data_trigger(&s->data_blob);
-       blobmsg_list_free(&s->data_blob);
        blobmsg_list_fill(&s->data_blob, blobmsg_data(s->data),
                        blobmsg_data_len(s->data), false);
        service_data_trigger(&s->data_blob);
OpenWrt service / process manager