From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 16 Sep 2025 15:12:14 +0000 (+0200)
Subject: service: fix use-after-free on service data update
X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=ace5f272e139b5b1f98e992b2590ed1384e2774e;p=project%2Fprocd.git

service: fix use-after-free on service data update

When updating runtime data for service already having previous data, the
call to service_data_trigger() will indirectly access the just freed
`s->data` memory through the `s->data_blob` AVL structure.

Fix this issue by moving the call to `service_data_trigger()` before the
freeing of `s->data`.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/service/service.c b/service/service.c
index 4070e74..f8d9c40 100644
--- a/service/service.c
+++ b/service/service.c
@@ -137,13 +137,14 @@ service_update_data(struct service *s, struct blob_attr *data)
 	if (blob_attr_equal(s->data, data))
 		return 0;
 
+	service_data_trigger(&s->data_blob);
+	blobmsg_list_free(&s->data_blob);
+
 	free(s->data);
 	s->data = blob_memdup(data);
 	if (!s->data)
 		return -1;
 
-	service_data_trigger(&s->data_blob);
-	blobmsg_list_free(&s->data_blob);
 	blobmsg_list_fill(&s->data_blob, blobmsg_data(s->data),
 			blobmsg_data_len(s->data), false);
 	service_data_trigger(&s->data_blob);