fix use after free bug in the trigger handling code

Signed-off-by: John Crispin <blogic@openwrt.org>

instance.c

@@ -317,10 +317,14 @@ instance_config_parse(struct service_instance *in)
 		return false;
 
 	in->command = cur;
-	in->trigger = tb[INSTANCE_ATTR_TRIGGER];
 
-	if (in->trigger)
+	if (tb[INSTANCE_ATTR_TRIGGER]) {
+		in->trigger = malloc(blob_len(tb[INSTANCE_ATTR_TRIGGER]));
+		if (!in->trigger)
+			return -1;
+		memcpy(in->trigger, tb[INSTANCE_ATTR_TRIGGER], blob_len(tb[INSTANCE_ATTR_TRIGGER]));
 		trigger_add(in->trigger, in);
+	}
 
 	if ((cur = tb[INSTANCE_ATTR_NICE])) {
 		in->nice = (int8_t) blobmsg_get_u32(cur);
@@ -395,6 +399,7 @@ instance_free(struct service_instance *in)
 	uloop_process_delete(&in->proc);
 	uloop_timeout_cancel(&in->timeout);
 	trigger_del(in);
+	free(in->trigger);
 	instance_config_cleanup(in);
 	free(in->config);
 	free(in);

service.c

@@ -101,11 +101,17 @@ service_update(struct service *s, struct blob_attr *config, struct blob_attr **t
 	struct blob_attr *cur;
 	int rem;
 
-	if (s->trigger)
+	if (s->trigger) {
 		trigger_del(s);
+		free(s->trigger);
+		s->trigger = NULL;
+	}
 
 	if (tb[SERVICE_SET_TRIGGER] && blobmsg_data_len(tb[SERVICE_SET_TRIGGER])) {
-		s->trigger = tb[SERVICE_SET_TRIGGER];
+		s->trigger = malloc(blob_len(tb[SERVICE_SET_TRIGGER]));
+		if (!s->trigger)
+			return -1;
+		memcpy(s->trigger, tb[SERVICE_SET_TRIGGER], blob_len(tb[SERVICE_SET_TRIGGER]));
 		trigger_add(s->trigger, s);
 	}
 
@@ -128,6 +134,8 @@ service_delete(struct service *s)
 	vlist_flush_all(&s->instances);
 	avl_delete(&services, &s->avl);
 	trigger_del(s);
+	s->trigger = NULL;
+	free(s->trigger);
 	free(s->config);
 	free(s);
 }