#988 use-after-free in json configuration parser

The cfg structure stores pointers to the string in this json tree. Do not
release the json tree, keep it as field in the cfg structure.

2 files changed, 20 insertions, 10 deletions

diff --git a/src/cfg.c b/src/cfg.c
index bd38a84..fa88fc1 100644
--- a/src/cfg.c
+++ b/src/cfg.c
@@ -121,19 +121,22 @@ int parse_json_config(const char *filename, struct og_server_cfg *cfg)
 
 	json_object_foreach(root, key, value) {
 		if (!strcmp(key, "rest")) {
-			if (parse_json_rest(cfg, value) < 0)
-				return -1;
-
+			if (parse_json_rest(cfg, value) < 0) {
+				ret = -1;
+				break;
+			}
 			flags |= OG_SERVER_CFG_REST;
 		} else if (!strcmp(key, "wol")) {
-			if (parse_json_wol(cfg, value) < 0)
-				return -1;
-
+			if (parse_json_wol(cfg, value) < 0) {
+				ret = -1;
+				break;
+			}
 			flags |= OG_SERVER_CFG_WOL;
 		} else if (!strcmp(key, "database")) {
-			if (parse_json_db(cfg, value) < 0)
-				return -1;
-
+			if (parse_json_db(cfg, value) < 0) {
+				ret = -1;
+				break;
+			}
 			flags |= OG_SERVER_CFG_DB;
 		} else {
 			syslog(LOG_ERR, "unknown key `%s' in %s\n",
@@ -142,6 +145,9 @@ int parse_json_config(const char *filename, struct og_server_cfg *cfg)
 		}
 	}
 
+	if (ret < 0)
+		json_decref(root);
+
 	if ((flags & OG_SERVER_CFG_REST) &&
 	    (flags & OG_SERVER_CFG_DB) &&
 	    (flags & OG_SERVER_CFG_WOL)) {
@@ -151,7 +157,10 @@ int parse_json_config(const char *filename, struct og_server_cfg *cfg)
 		ret = -1;
 	}
 
-	json_decref(root);
+	if (ret < 0)
+		json_decref(root);
+	else
+		cfg->json = root;
 
 	return ret;
 }
diff --git a/src/cfg.h b/src/cfg.h
index 5b89db2..6c7d221 100644
--- a/src/cfg.h
+++ b/src/cfg.h
@@ -17,6 +17,7 @@ struct og_server_cfg {
         struct {
                 const char      *interface;
         } wol;
+	json_t			*json;
 };
 
 int parse_json_config(const char *filename, struct og_server_cfg *cfg);