From f52274bf2fae35c07e0a1801b46b68b9e8179c25 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Mon, 1 Nov 2010 00:20:00 +0000 Subject: uci: use a delete-safe iterator in the Lua :foreach() function The following test case exposed a NULL pointer dereference in uci_lua_foreach(): lua -luci -e 'x=uci.cursor(); x:foreach("firewall", "forwarding", function(s) x:delete("firewall", s[".name"]) end)' SVN-Revision: 23757 --- package/uci/Makefile | 2 +- .../patches/130-lua_fix_nested_foreach_delete.patch | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 package/uci/patches/130-lua_fix_nested_foreach_delete.patch (limited to 'package') diff --git a/package/uci/Makefile b/package/uci/Makefile index 394fdf70f3..c9fc6a63c4 100644 --- a/package/uci/Makefile +++ b/package/uci/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk UCI_VERSION=2010-09-28 -UCI_RELEASE=1 +UCI_RELEASE=2 PKG_NAME:=uci PKG_VERSION:=$(UCI_VERSION)$(if $(UCI_RELEASE),.$(UCI_RELEASE)) diff --git a/package/uci/patches/130-lua_fix_nested_foreach_delete.patch b/package/uci/patches/130-lua_fix_nested_foreach_delete.patch new file mode 100644 index 0000000000..70c23ad7b7 --- /dev/null +++ b/package/uci/patches/130-lua_fix_nested_foreach_delete.patch @@ -0,0 +1,20 @@ +--- a/lua/uci.c ++++ b/lua/uci.c +@@ -266,7 +266,7 @@ uci_lua_foreach(lua_State *L) + { + struct uci_context *ctx; + struct uci_package *p; +- struct uci_element *e; ++ struct uci_element *e, *tmp; + const char *package, *type; + bool ret = false; + int offset = 0; +@@ -287,7 +287,7 @@ uci_lua_foreach(lua_State *L) + if (!p) + goto done; + +- uci_foreach_element(&p->sections, e) { ++ uci_foreach_element_safe(&p->sections, tmp, e) { + struct uci_section *s = uci_to_section(e); + + i++; -- cgit v1.2.3