#988 use-after-free in json configuration parser

The cfg structure stores pointers to the string in this json tree. Do not release the json tree, keep it as field in the cfg structure.
2020-09-22 15:22:26 +02:00 · 2020-09-22 15:22:26 +02:00 · bdd8519d03
parent af47a082ad
commit bdd8519d03
2 changed files with 20 additions and 10 deletions
--- a/src/cfg.c
+++ b/src/cfg.c
@ -121,19 +121,22 @@ int parse_json_config(const char *filename, struct og_server_cfg *cfg)

 	json_object_foreach(root, key, value) {
 		if (!strcmp(key, "rest")) {
-			if (parse_json_rest(cfg, value) < 0)
-				return -1;
-
+			if (parse_json_rest(cfg, value) < 0) {
+				ret = -1;
+				break;
+			}
 			flags |= OG_SERVER_CFG_REST;
 		} else if (!strcmp(key, "wol")) {
-			if (parse_json_wol(cfg, value) < 0)
-				return -1;
-
+			if (parse_json_wol(cfg, value) < 0) {
+				ret = -1;
+				break;
+			}
 			flags |= OG_SERVER_CFG_WOL;
 		} else if (!strcmp(key, "database")) {
-			if (parse_json_db(cfg, value) < 0)
-				return -1;
-
+			if (parse_json_db(cfg, value) < 0) {
+				ret = -1;
+				break;
+			}
 			flags |= OG_SERVER_CFG_DB;
 		} else {
 			syslog(LOG_ERR, "unknown key `%s' in %s\n",
@ -142,6 +145,9 @@ int parse_json_config(const char *filename, struct og_server_cfg *cfg)
 		}
 	}

+	if (ret < 0)
+		json_decref(root);
+
 	if ((flags & OG_SERVER_CFG_REST) &&
 	    (flags & OG_SERVER_CFG_DB) &&
 	    (flags & OG_SERVER_CFG_WOL)) {
@ -151,7 +157,10 @@ int parse_json_config(const char *filename, struct og_server_cfg *cfg)
 		ret = -1;
 	}

-	json_decref(root);
+	if (ret < 0)
+		json_decref(root);
+	else
+		cfg->json = root;

 	return ret;
 }
--- a/src/cfg.h
+++ b/src/cfg.h
@ -17,6 +17,7 @@ struct og_server_cfg {
        struct {
                const char      *interface;
        } wol;
+	json_t			*json;
 };

 int parse_json_config(const char *filename, struct og_server_cfg *cfg);