If the user allocates a nftnl_udata_buf and then passes the TLV data to
nftnl_rule_set_data, the pointer stored in rule.user.data is not the begining of
the allocated block. In this situation, if it calls to nftnl_rule_free, it tries
to free this pointer and segfault is thrown.
Signed-off-by: Carlos Falgueras García <carlosfg@xxxxxxxxxx>
---
src/rule.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/rule.c b/src/rule.c
index c299548..3f276f8 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -167,7 +167,12 @@ void nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
if (r->user.data != NULL)
xfree(r->user.data);
- r->user.data = (void *)data;
+ r->user.data = malloc(data_len);
+ if (!r->user.data) {
+ perror("libnftnl: " __FILE__ ": nftnl_rule_set_data()");
+ return;
+ }
+ memcpy(r->user.data, data, data_len);
r->user.len = data_len;
break;
}
--
2.8.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
