From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 26 Mar 2021 15:42:57 +0000 (+0100)
Subject: conf: prevent UAF in lxc_clear_limits()
X-Git-Tag: lxc-5.0.0~242^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=786467cbdd2e170839a2f58da8f1b634388361b7;p=thirdparty%2Flxc.git

conf: prevent UAF in lxc_clear_limits()

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32532
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d309e2443..c15a87658 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3742,7 +3742,7 @@ int lxc_clear_limits(struct lxc_conf *c, const char *key)
 	else if (strnequal(key, "lxc.prlimit.", STRLITERALLEN("lxc.prlimit.")))
 		k = key + STRLITERALLEN("lxc.prlimit.");
 	else
-		return -1;
+		return ret_errno(EINVAL);
 
 	lxc_list_for_each_safe (it, &c->limits, next) {
 		struct lxc_limit *lim = it->elem;
@@ -3751,11 +3751,14 @@ int lxc_clear_limits(struct lxc_conf *c, const char *key)
 			continue;
 
 		lxc_list_del(it);
-		free(lim->resource);
+
+		free_disarm(lim->resource);
 		free(lim);
-		free(it);
 	}
 
+	if (all)
+		lxc_list_init(&c->limits);
+
 	return 0;
 }