|
 |
ef9e95 |
From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001
|
|
|
ef9e95 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
ef9e95 |
Date: Tue, 29 Jan 2019 18:12:15 +0100
|
|
|
ef9e95 |
Subject: [PATCH] flowtable: Fix use after free in two spots
|
|
|
ef9e95 |
|
|
|
ef9e95 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327
|
|
|
ef9e95 |
Upstream Status: libnftnl commit 822dc96815e96
|
|
|
ef9e95 |
|
|
|
ef9e95 |
commit 822dc96815e96465822ce4b1187c4b29c06cb7c1
|
|
|
ef9e95 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
ef9e95 |
Date: Thu Dec 20 21:03:29 2018 +0100
|
|
|
ef9e95 |
|
|
|
ef9e95 |
flowtable: Fix use after free in two spots
|
|
|
ef9e95 |
|
|
|
ef9e95 |
When freeing flowtable devices array, the loop freeing each device
|
|
|
ef9e95 |
string incorrectly included the call to free the device array itself.
|
|
|
ef9e95 |
|
|
|
ef9e95 |
Fixes: eb58f53372e74 ("src: add flowtable support")
|
|
|
ef9e95 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
ef9e95 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
ef9e95 |
---
|
|
|
ef9e95 |
src/flowtable.c | 10 ++++------
|
|
|
ef9e95 |
1 file changed, 4 insertions(+), 6 deletions(-)
|
|
|
ef9e95 |
|
|
|
ef9e95 |
diff --git a/src/flowtable.c b/src/flowtable.c
|
|
|
ef9e95 |
index aa6ce59..61ff29b 100644
|
|
|
ef9e95 |
--- a/src/flowtable.c
|
|
|
ef9e95 |
+++ b/src/flowtable.c
|
|
|
ef9e95 |
@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
|
|
|
ef9e95 |
case NFTNL_FLOWTABLE_FLAGS:
|
|
|
ef9e95 |
break;
|
|
|
ef9e95 |
case NFTNL_FLOWTABLE_DEVICES:
|
|
|
ef9e95 |
- for (i = 0; i < c->dev_array_len; i++) {
|
|
|
ef9e95 |
+ for (i = 0; i < c->dev_array_len; i++)
|
|
|
ef9e95 |
xfree(c->dev_array[i]);
|
|
|
ef9e95 |
- xfree(c->dev_array);
|
|
|
ef9e95 |
- }
|
|
|
ef9e95 |
+ xfree(c->dev_array);
|
|
|
ef9e95 |
break;
|
|
|
ef9e95 |
default:
|
|
|
ef9e95 |
return;
|
|
|
ef9e95 |
@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
|
|
|
ef9e95 |
len++;
|
|
|
ef9e95 |
|
|
|
ef9e95 |
if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
|
|
|
ef9e95 |
- for (i = 0; i < c->dev_array_len; i++) {
|
|
|
ef9e95 |
+ for (i = 0; i < c->dev_array_len; i++)
|
|
|
ef9e95 |
xfree(c->dev_array[i]);
|
|
|
ef9e95 |
- xfree(c->dev_array);
|
|
|
ef9e95 |
- }
|
|
|
ef9e95 |
+ xfree(c->dev_array);
|
|
|
ef9e95 |
}
|
|
|
ef9e95 |
|
|
|
ef9e95 |
c->dev_array = calloc(len + 1, sizeof(char *));
|
|
|
ef9e95 |
--
|
|
|
ef9e95 |
1.8.3.1
|
|
|
ef9e95 |
|