[PATCH nft] netlink: fix use-after-free netlink_events_cache_deltable()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

h.table stores a pointer to a nftnl table object that is gone just after
assignment. Release this object once its content is not referenced anymore.

Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/netlink.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/netlink.c b/src/netlink.c
index 1167c95..429eed4 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1982,14 +1982,15 @@ static void netlink_events_cache_deltable(struct netlink_mon_handler *monh,
 	nlt      = netlink_table_alloc(nlh);
 	h.family = nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY);
 	h.table  = nft_table_attr_get_str(nlt, NFT_TABLE_ATTR_NAME);
-	nft_table_free(nlt);
 
 	t = table_lookup(&h);
 	if (t == NULL)
-		return;
+		goto out;
 
 	list_del(&t->list);
 	table_free(t);
+out:
+	nft_table_free(nlt);
 }
 
 static void netlink_events_cache_addset(struct netlink_mon_handler *monh,
-- 
1.7.10.4

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux