From 786467cbdd2e170839a2f58da8f1b634388361b7 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Fri, 26 Mar 2021 16:42:57 +0100
Subject: [PATCH] conf: prevent UAF in lxc_clear_limits()

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32532
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 src/lxc/conf.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d309e2443..c15a87658 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3742,7 +3742,7 @@ int lxc_clear_limits(struct lxc_conf *c, const char *key)
 	else if (strnequal(key, "lxc.prlimit.", STRLITERALLEN("lxc.prlimit.")))
 		k = key + STRLITERALLEN("lxc.prlimit.");
 	else
-		return -1;
+		return ret_errno(EINVAL);
 
 	lxc_list_for_each_safe (it, &c->limits, next) {
 		struct lxc_limit *lim = it->elem;
@@ -3751,11 +3751,14 @@ int lxc_clear_limits(struct lxc_conf *c, const char *key)
 			continue;
 
 		lxc_list_del(it);
-		free(lim->resource);
+
+		free_disarm(lim->resource);
 		free(lim);
-		free(it);
 	}
 
+	if (all)
+		lxc_list_init(&c->limits);
+
 	return 0;
 }
 
-- 
2.47.2