diff --git a/SOURCES/0002-examples-fix-double-free-in-nftc-helper-add.patch b/SOURCES/0002-examples-fix-double-free-in-nftc-helper-add.patch new file mode 100644 index 0000000..f42d34a --- /dev/null +++ b/SOURCES/0002-examples-fix-double-free-in-nftc-helper-add.patch @@ -0,0 +1,50 @@ +From 7b175a4fc9f81fe3f721d9a7ebb5b954a4fd7606 Mon Sep 17 00:00:00 2001 +From: Liping Zhang +Date: Sun, 19 Mar 2017 22:01:10 +0800 +Subject: [PATCH] examples: fix double free in nftc-helper-add + +After inputting the following test command, core dump happened: + # ./examples/nfct-helper-add test 1 + *** Error in + `.../libnetfilter_cthelper/examples/.libs/lt-nfct-helper-add': + double free or corruption (fasttop): 0x0000000001f3c070 *** + ======= Backtrace: ========= + /lib64/libc.so.6(+0x77de5)[0x7fd9ebe88de5] + /lib64/libc.so.6(+0x8022a)[0x7fd9ebe9122a] + /lib64/libc.so.6(cfree+0x4c)[0x7fd9ebe9478c] + [...] + +Because "struct nfct_helper_policy *p" had been freed by nfct_helper_free, +so there's no need to invoke nfct_helper_policy_free again, otherwise +double free error will happen. + +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +(cherry picked from commit 9f223e612d3b0be6e4dca84e1db8042dbec64e93) +--- + examples/nfct-helper-add.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/examples/nfct-helper-add.c b/examples/nfct-helper-add.c +index 6c476261b75e8..cb7291e8ec4b0 100644 +--- a/examples/nfct-helper-add.c ++++ b/examples/nfct-helper-add.c +@@ -32,6 +32,7 @@ int main(int argc, char *argv[]) + nfct_helper_attr_set_u16(nfct_helper, NFCTH_ATTR_PROTO_L3NUM, AF_INET); + nfct_helper_attr_set_u8(nfct_helper, NFCTH_ATTR_PROTO_L4NUM, IPPROTO_TCP); + ++ /* Will be freed by nfct_helper_free. */ + p = nfct_helper_policy_alloc(); + if (p == NULL) { + perror("OOM"); +@@ -49,7 +50,6 @@ int main(int argc, char *argv[]) + nfct_helper_nlmsg_build_payload(nlh, nfct_helper); + + nfct_helper_free(nfct_helper); +- nfct_helper_policy_free(p); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { +-- +2.21.0 + diff --git a/SPECS/libnetfilter_cthelper.spec b/SPECS/libnetfilter_cthelper.spec index 292b4ef..e28da6f 100644 --- a/SPECS/libnetfilter_cthelper.spec +++ b/SPECS/libnetfilter_cthelper.spec @@ -1,6 +1,6 @@ Name: libnetfilter_cthelper Version: 1.0.0 -Release: 9%{?dist} +Release: 10%{?dist} Summary: User-space infrastructure for connection tracking helpers Group: System Environment/Libraries License: GPLv2 @@ -9,6 +9,7 @@ Source0: http://www.netfilter.org/projects/libnetfilter_cthelper/files/li BuildRequires: libmnl-devel >= 1.0.0, pkgconfig, kernel-headers Patch1: libnetfilter_cthelper-1.0.0-cleanup.patch +Patch2: 0002-examples-fix-double-free-in-nftc-helper-add.patch %description This library provides the infrastructure for the user-space helper @@ -28,6 +29,7 @@ developing applications that use %{name}. %prep %setup -q %patch1 -p1 +%patch2 -p1 %build %configure --disable-static @@ -52,6 +54,9 @@ find $RPM_BUILD_ROOT -type f -name '*.la' -exec rm -f {} ';' %{_libdir}/*.so %changelog +* Mon Mar 11 2019 Phil Sutter - 1.0.0-10 +- Resolves: rhbz#1256215 - double free happened when nfct_helper_free() [...] + * Mon Jul 25 2016 Paul Wouters - 1.0.0-9 - Resolves: rhbz#1252344 Use after free in nfct_helper_free