conf: prevent UAF in lxc_clear_limits()

Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=32532
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index d309e244339b9aeb6f26832257d61fdd10db4650..c15a87658d2458d25f0781d603d1debd4675d812 100644 (file)
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -3742,7 +3742,7 @@ int lxc_clear_limits(struct lxc_conf *c, const char *key)
        else if (strnequal(key, "lxc.prlimit.", STRLITERALLEN("lxc.prlimit.")))
                k = key + STRLITERALLEN("lxc.prlimit.");
        else
-               return -1;
+               return ret_errno(EINVAL);
 
        lxc_list_for_each_safe (it, &c->limits, next) {
                struct lxc_limit *lim = it->elem;
@@ -3751,11 +3751,14 @@ int lxc_clear_limits(struct lxc_conf *c, const char *key)
                        continue;
 
                lxc_list_del(it);
-               free(lim->resource);
+
+               free_disarm(lim->resource);
                free(lim);
-               free(it);
        }
 
+       if (all)
+               lxc_list_init(&c->limits);
+
        return 0;
 }