From 942b2d318642cc6b596b8d9778daa506a5578a56 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Mon, 29 Mar 2021 12:01:49 +0200
Subject: [PATCH] confile: clear netdev on network type change

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32584
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/confile.c       |  5 +++--
 src/lxc/confile_utils.c | 31 +++++++++++++++++++++++--------
 src/lxc/confile_utils.h |  1 +
 3 files changed, 27 insertions(+), 10 deletions(-)

diff --git a/src/lxc/confile.c b/src/lxc/confile.c
index b125db926..cb3866c6d 100644
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -316,8 +316,9 @@ static int set_config_net_type(const char *key, const char *value,
 	if (!netdev)
 		return ret_errno(EINVAL);
 
+	clr_config_net_type(key, lxc_conf, data);
 	if (lxc_config_value_empty(value))
-		return clr_config_net_type(key, lxc_conf, data);
+		return 0;
 
 	if (strequal(value, "veth")) {
 		netdev->type = LXC_NET_VETH;
@@ -4871,7 +4872,7 @@ static int clr_config_net_type(const char *key, struct lxc_conf *lxc_conf,
 	if (!netdev)
 		return ret_errno(EINVAL);
 
-	netdev->type = -1;
+	lxc_clear_netdev(netdev);
 
 	return 0;
 }
diff --git a/src/lxc/confile_utils.c b/src/lxc/confile_utils.c
index 06b4869ce..4d52d044d 100644
--- a/src/lxc/confile_utils.c
+++ b/src/lxc/confile_utils.c
@@ -403,26 +403,29 @@ void lxc_log_configured_netdevs(const struct lxc_conf *conf)
 	}
 }
 
-static void lxc_free_netdev(struct lxc_netdev *netdev)
+void lxc_clear_netdev(struct lxc_netdev *netdev)
 {
 	struct lxc_list *cur, *next;
+	ssize_t idx;
 
 	if (!netdev)
 		return;
 
-	free(netdev->upscript);
-	free(netdev->downscript);
-	free(netdev->hwaddr);
-	free(netdev->mtu);
+	idx = netdev->idx;
+
+	free_disarm(netdev->upscript);
+	free_disarm(netdev->downscript);
+	free_disarm(netdev->hwaddr);
+	free_disarm(netdev->mtu);
 
-	free(netdev->ipv4_gateway);
+	free_disarm(netdev->ipv4_gateway);
 	lxc_list_for_each_safe(cur, &netdev->ipv4, next) {
 		lxc_list_del(cur);
 		free(cur->elem);
 		free(cur);
 	}
 
-	free(netdev->ipv6_gateway);
+	free_disarm(netdev->ipv6_gateway);
 	lxc_list_for_each_safe(cur, &netdev->ipv6, next) {
 		lxc_list_del(cur);
 		free(cur->elem);
@@ -448,7 +451,19 @@ static void lxc_free_netdev(struct lxc_netdev *netdev)
 		}
 	}
 
-	free(netdev);
+	memset(netdev, 0, sizeof(struct lxc_netdev));
+	lxc_list_init(&netdev->ipv4);
+	lxc_list_init(&netdev->ipv6);
+	netdev->type = -1;
+	netdev->idx = idx;
+}
+
+static void lxc_free_netdev(struct lxc_netdev *netdev)
+{
+	if (netdev) {
+		lxc_clear_netdev(netdev);
+		free(netdev);
+	}
 }
 
 bool lxc_remove_nic_by_idx(struct lxc_conf *conf, unsigned int idx)
diff --git a/src/lxc/confile_utils.h b/src/lxc/confile_utils.h
index 670f3894b..f675ac176 100644
--- a/src/lxc/confile_utils.h
+++ b/src/lxc/confile_utils.h
@@ -37,6 +37,7 @@ __hidden extern struct lxc_netdev *lxc_get_netdev_by_idx(struct lxc_conf *conf,
 __hidden extern void lxc_log_configured_netdevs(const struct lxc_conf *conf);
 __hidden extern bool lxc_remove_nic_by_idx(struct lxc_conf *conf, unsigned int idx);
 __hidden extern void lxc_free_networks(struct lxc_list *networks);
+__hidden extern void lxc_clear_netdev(struct lxc_netdev *netdev);
 __hidden extern int lxc_veth_mode_to_flag(int *mode, const char *value);
 __hidden extern char *lxc_veth_flag_to_mode(int mode);
 __hidden extern int lxc_macvlan_mode_to_flag(int *mode, const char *value);
-- 
2.47.3