[Bug] uci_import: Infinite loop/hang when processing input with embedded null bytes

[liloler]

Description

I discovered a Denial of Service (DoS) vulnerability in the uci_import function. When processing a configuration line containing embedded null bytes (\x00) without a trailing newline, the parser enters an infinite loop or hangs significantly.

This causes performance degradation from ~20ms to over 20 seconds (or indefinite hang depending on memory/timeout), effectively blocking the process.

Steps to Reproduce

1. Download the Proof of Concept (PoC) file:
   hang_id000003.bin

2. Run uci import with the malicious file:

   # This command will hang/timeout
   ./uci import -f hang_id000003.bin
   

3. **Comparison:**
* Valid config processing time: ~20ms
* PoC processing time: >20s (Severe Hang)



### Root Cause Analysis

The issue is located in `file.c`, specifically around the buffer handling loop.

When `fgets()` reads a line containing null bytes, it includes them in the buffer. However, `strlen(p)` stops at the first null byte. As a result, the offset `ofs` is not incremented correctly to skip the full data read by `fgets`, causing the loop to process the same buffer segment repeatedly (or reallocate infinitely).

**Location:** `file.c` (approx line 66 in current master)

```c
// Current logic issue:
ofs += strlen(p);  // stops at \x00, but buffer has more data

Impact

• DoS: Service startup delay or hang if malicious config files are present.
• Web/API: If uci import is used to handle user-uploaded configurations (e.g., via LuCI or API), this could lead to a resource exhaustion attack.

Suggested Fix

Use strnlen or calculate the length based on the buffer size to ensure all characters (including embedded nulls) are processed or rejected.

// Proposed patch logic:
// Change from:
// ofs += strlen(p);

// To something like:
size_t len = strnlen(p, pctx->bufsz - ofs);
if (len == 0 && p[0] != '\0') {
    uci_parse_error(ctx, "embedded null byte detected");
    return;
}
ofs += len;

Environment

• Project: openwrt/uci
• Version: Latest master
• Discovery Method: AFL++ Fuzzing

[ynezz]

@liloler Hi, thanks for the report and care about the OpenWrt! Can you fine tune your LLM reporting pipeline to actually add a reproducer to verify the findings? I told CC to do exactly that and I'm not able to reproduce it ynezz@35a4452

https://github.com/ynezz/openwrt-uci/actions/runs/21330069582/job/61393442053

[liloler]

Hi @ynezz,

Thank you for the feedback.

To assist in reproducing this issue, I have detailed my exact build environment. I built json-c and libubox from source and specifically disabled Lua bindings (-DBUILD_LUA=OFF) to isolate the core C functionality.

Here are the precise steps to replicate my environment and trigger the hang:

1. Build Environment Setup
I used the following commands to build dependencies and uci (Release mode):

# 1. Setup Environment
export INSTALL_DIR="$HOME/.local"
export PKG_CONFIG_PATH="$INSTALL_DIR/lib/pkgconfig:$INSTALL_DIR/lib64/pkgconfig:$PKG_CONFIG_PATH"
mkdir -p "$INSTALL_DIR"

# 2. Build json-c
git clone https://github.com/json-c/json-c.git && cd json-c
mkdir build && cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX="$INSTALL_DIR" ..
make -j$(nproc) && make install
cd ../..

# 3. Build libubox (Lua Disabled)
git clone https://git.openwrt.org/project/libubox.git && cd libubox
cmake -DCMAKE_BUILD_TYPE=Release -DBUILD_LUA=OFF \
      -DCMAKE_INSTALL_PREFIX="$INSTALL_DIR" \
      -DCMAKE_PREFIX_PATH="$INSTALL_DIR" .
make -j$(nproc) && make install
cd ..

# 4. Build uci (Lua Disabled)
# Assuming inside uci source root
rm -rf build_release && mkdir build_release && cd build_release
cmake -DCMAKE_BUILD_TYPE=Release \
      -DBUILD_LUA=OFF \
      -DCMAKE_PREFIX_PATH="$INSTALL_DIR" ..
make -j$(nproc)

2. The Reproducer File
Please download the specific PoC file hang_test_case_003.bin:
https://github.com/liloler/poc001/blob/main/hang_test_case_003.bin

3. Execution Command
The Infinite Loop/Hang is triggered when uci import reads the file via stdin. Please run:

# This command triggers the hang
./uci import < /path/to/hang_test_case_003.bin

Expected Result:
The process hangs indefinitely (100% CPU usage) immediately after execution.

[ynezz]

Thanks for the update, now I'm able to reproduce it https://github.com/ynezz/openwrt-uci/actions/runs/21361435959/job/61481526236#step:11:23

--- /home/runner/work/openwrt-uci/openwrt-uci/tests/cram/test_uci_import_hang.t
+++ /home/runner/work/openwrt-uci/openwrt-uci/tests/cram/test_uci_import_hang.t.err
@@ -10,5 +10,4 @@
 check hang_test_case_003 from issue #18 comment:
 
   $ timeout 2 uci import < $FUZZ_CORPUS/hang_test_case_003.bin
-  uci: Parse error * (glob)
-  [1]
+  [124]

(that 124 exit status is from timeout command which means timeout)