|
|
bacbc8 |
From b8d39d718360e1b46be846dbedd94a6b099a9e31 Mon Sep 17 00:00:00 2001
|
|
|
bacbc8 |
From: Florian Westphal <fw@strlen.de>
|
|
|
bacbc8 |
Date: Tue, 23 Apr 2019 13:18:05 +0200
|
|
|
bacbc8 |
Subject: [PATCH] src: fix double free on xt stmt destruction
|
|
|
bacbc8 |
|
|
|
bacbc8 |
'nft monitor' dies with:
|
|
|
bacbc8 |
*** Error in `/sbin/nft': double free or corruption (fasttop): 0x000055f8ba57b750 ***
|
|
|
bacbc8 |
|
|
|
bacbc8 |
... when the iptables-nft test suite is running in parallel, because
|
|
|
bacbc8 |
xfree(stmt->xt.name) gets called twice.
|
|
|
bacbc8 |
|
|
|
bacbc8 |
Fixes: 4ac11b890fe870 ("src: missing destroy function in statement definitions")
|
|
|
bacbc8 |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
bacbc8 |
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
bacbc8 |
(cherry picked from commit 99afd62d48f4c510bdb4076eb9d811c001ad1cac)
|
|
|
bacbc8 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
bacbc8 |
---
|
|
|
bacbc8 |
include/xt.h | 2 +-
|
|
|
bacbc8 |
src/statement.c | 6 ------
|
|
|
bacbc8 |
src/xt.c | 2 +-
|
|
|
bacbc8 |
3 files changed, 2 insertions(+), 8 deletions(-)
|
|
|
bacbc8 |
|
|
|
bacbc8 |
diff --git a/include/xt.h b/include/xt.h
|
|
|
bacbc8 |
index ab59bb3d45a41..9fc515084d597 100644
|
|
|
bacbc8 |
--- a/include/xt.h
|
|
|
bacbc8 |
+++ b/include/xt.h
|
|
|
bacbc8 |
@@ -9,7 +9,7 @@ struct rule;
|
|
|
bacbc8 |
struct output_ctx;
|
|
|
bacbc8 |
|
|
|
bacbc8 |
void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx);
|
|
|
bacbc8 |
-void xt_stmt_release(const struct stmt *stmt);
|
|
|
bacbc8 |
+void xt_stmt_destroy(struct stmt *stmt);
|
|
|
bacbc8 |
|
|
|
bacbc8 |
void netlink_parse_target(struct netlink_parse_ctx *ctx,
|
|
|
bacbc8 |
const struct location *loc,
|
|
|
bacbc8 |
diff --git a/src/statement.c b/src/statement.c
|
|
|
bacbc8 |
index 29b73f9fba4ae..c261540b92ebd 100644
|
|
|
bacbc8 |
--- a/src/statement.c
|
|
|
bacbc8 |
+++ b/src/statement.c
|
|
|
bacbc8 |
@@ -783,12 +783,6 @@ static void xt_stmt_print(const struct stmt *stmt, struct output_ctx *octx)
|
|
|
bacbc8 |
xt_stmt_xlate(stmt, octx);
|
|
|
bacbc8 |
}
|
|
|
bacbc8 |
|
|
|
bacbc8 |
-static void xt_stmt_destroy(struct stmt *stmt)
|
|
|
bacbc8 |
-{
|
|
|
bacbc8 |
- xfree(stmt->xt.name);
|
|
|
bacbc8 |
- xt_stmt_release(stmt);
|
|
|
bacbc8 |
-}
|
|
|
bacbc8 |
-
|
|
|
bacbc8 |
static const struct stmt_ops xt_stmt_ops = {
|
|
|
bacbc8 |
.type = STMT_XT,
|
|
|
bacbc8 |
.name = "xt",
|
|
|
bacbc8 |
diff --git a/src/xt.c b/src/xt.c
|
|
|
bacbc8 |
index c35c84edca0e6..ef371720fbcfa 100644
|
|
|
bacbc8 |
--- a/src/xt.c
|
|
|
bacbc8 |
+++ b/src/xt.c
|
|
|
bacbc8 |
@@ -74,7 +74,7 @@ void xt_stmt_xlate(const struct stmt *stmt, struct output_ctx *octx)
|
|
|
bacbc8 |
#endif
|
|
|
bacbc8 |
}
|
|
|
bacbc8 |
|
|
|
bacbc8 |
-void xt_stmt_release(const struct stmt *stmt)
|
|
|
bacbc8 |
+void xt_stmt_destroy(struct stmt *stmt)
|
|
|
bacbc8 |
{
|
|
|
bacbc8 |
switch (stmt->xt.type) {
|
|
|
bacbc8 |
case NFT_XT_MATCH:
|
|
|
bacbc8 |
--
|
|
|
bacbc8 |
2.21.0
|
|
|
bacbc8 |
|