diff mbox series

[uci,2/6] file: uci_parse_package: fix heap use after free

Message ID 20201003074830.948-3-ynezz@true.cz
State Accepted
Delegated to: Petr Štetiar
Headers show
Series fixes and improvements | expand

Commit Message

Petr Štetiar Oct. 3, 2020, 7:48 a.m. UTC
Fixes following issue which is caused by usage of pointer which pointed
to a reallocated address:

 ERROR: AddressSanitizer: heap-use-after-free on address 0x619000000087 at pc 0x000000509aa7 bp 0x7ffd6b9c3c40 sp 0x7ffd6b9c3400
 READ of size 2 at 0x619000000087 thread T0
     #0 0x509aa6 in strdup (test-fuzz+0x509aa6)
     #1 0x7fc36d2a1636 in uci_strdup util.c:60:8
     #2 0x7fc36d29e1ac in uci_alloc_generic list.c:55:13
     #3 0x7fc36d29e241 in uci_alloc_package list.c:253:6
     #4 0x7fc36d2a0ba3 in uci_switch_config file.c:375:18
     #5 0x7fc36d2a09b8 in uci_parse_package file.c:397:2
     #6 0x7fc36d2a09b8 in uci_parse_line file.c:513:6
     #7 0x7fc36d2a09b8 in uci_import file.c:681:4

 0x619000000087 is located 7 bytes inside of 1024-byte region [0x619000000080,0x619000000480)
 freed by thread T0 here:
     #0 0x51daa9 in realloc (test-fuzz+0x51daa9)
     #1 0x7fc36d2a1612 in uci_realloc util.c:49:8

 previously allocated by thread T0 here:
     #0 0x51daa9 in realloc (test-fuzz+0x51daa9)
     #1 0x7fc36d2a1612 in uci_realloc util.c:49:8

Reported-by: Jeremy Galindo <jgalindo@datto.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---
 file.c                                             |   2 +-
 ...sig-06,src-000079,time-22005942,op-ext_AO,pos-8 | Bin 0 -> 56 bytes
 2 files changed, 1 insertion(+), 1 deletion(-)
 create mode 100644 tests/fuzz/corpus/id-000000,sig-06,src-000079,time-22005942,op-ext_AO,pos-8

GIT binary patch
literal 56
zcmXR&OwLYBPgN*@(lHFFjAeOc1$jzbTncy18yFZE5{noZKdkG_3=k<=xL-@**{y7@
Go{s<;LKIT~

literal 0
HcmV?d00001
diff mbox series

Patch

diff --git a/file.c b/file.c
index 6486de9c4229..23bf49a16f63 100644
--- a/file.c
+++ b/file.c
@@ -388,8 +388,8 @@  static void uci_parse_package(struct uci_context *ctx, bool single)
 	pctx->pos += strlen(pctx_cur_str(pctx)) + 1;
 
 	ofs_name = next_arg(ctx, true, true, true);
-	name = pctx_str(pctx, ofs_name);
 	assert_eol(ctx);
+	name = pctx_str(pctx, ofs_name);
 	if (single)
 		return;
 
diff --git a/tests/fuzz/corpus/id-000000,sig-06,src-000079,time-22005942,op-ext_AO,pos-8 b/tests/fuzz/corpus/id-000000,sig-06,src-000079,time-22005942,op-ext_AO,pos-8
new file mode 100644
index 0000000000000000000000000000000000000000..dc92b9dbb1ea9a540d60176c97ee9803c42dd3bf