OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by olegio170 - 26.05.2020
Last edited by Jo-Philipp Wich - 26.05.2020

FS#3126 - rpcd crashes upon calling uci add method to add non-existent option with an empty value

The root cause of this bug is the same as for one that was fixed in commit:;a=commit;h=bd0ed2521476c3e5b6c1a0e0bd2c386ea809d74b

It is possible to crash rpcd using uci add method with values that contain non-existent option with empty value and if section already exists.

Steps to reproduce:

  1. Add a new section to some config file e.g firewall. It doesn’t matter which values we use or which name. Please note that this step can be omitted and used some existing section. It is provided only to simplify reproduce instruction.
    ubus call uci add '{"config": "firewall", "name":"unique_name", "type": "rule", "values": {"target":"ACCEPT"}}'
  2. Add options to created section, using one non-existent option with empty value.
    ubus call uci add '{"config": "firewall", "name":"unique_name_1", "type": "rule", "values": {"description": "", "target":"ACCEPT"}}'

    After that rpcd will crash.

Technical cause:
This bug is caused by the fact that flags in uci_ptr in rpc_uci_add function is not cleaned correctly. As section exists, after calling rpc_uci_lookup to find section UCI_LOOKUP_COMPLETE flag will be set. Later on during handing each provided by user key:value pair, that uci_ptr with UCI_LOOKUP_COMPLETE flag set will be used without cleaning to set new values into config. If provided by user option doesn’t exist in config uci_ptr should NOT have UCI_LOOKUP_COMPLETE flag set during the call of uci_set. However, due to the absence of ptr cleaning, even for option from step 2 “description” which does not exist in the config that flag is set. That leads to the cleaning of the whole section instead of option in uci_set function. This leads to use-after-free when we try to set value for the next option and cause rpcd crash.

Proposed fix:
Add cleaning of uci_ptr flags in for_each key:value loop in rpc_uci_add function.
Please see attached patch.

Closed by  Jo-Philipp Wich
26.05.2020 14:27
Reason for closing:  Fixed
olegio170 commented on 26.05.2020 14:14

Typo in Steps 2 to reproduce: name should be unique_name instead of unique_name_1.
So, full command will be:

ubus call uci add '{"config": "firewall", "name":"unique_name", "type": "rule", "values": {"description": "", "target":"ACCEPT"}}'


Available keyboard shortcuts


Task Details

Task Editing