[PATCH nft] libnftables: use-after-free in exit path

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



==29699== Invalid read of size 8
==29699==    at 0x507E140: ct_label_table_exit (ct.c:239)
==29699==    by 0x5091877: nft_exit (libnftables.c:97)
==29699==    by 0x5091877: nft_ctx_free (libnftables.c:297)
[...]
==29699==  Address 0xb251008 is 136 bytes inside a block of size 352 free'd
==29699==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==29699==    by 0x509186F: nft_ctx_free (libnftables.c:296)
[...]
==29699==  Block was alloc'd at
==29699==    at 0x4C2DBC5: calloc (vg_replace_malloc.c:711)
==29699==    by 0x508C51D: xmalloc (utils.c:36)
==29699==    by 0x508C51D: xzalloc (utils.c:65)
==29699==    by 0x50916BE: nft_ctx_new (libnftables.c:151)
[...]

Release symbol tables before context object.

Fixes: 45cb29a2ada4 ("src: remove global symbol_table")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 src/libnftables.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libnftables.c b/src/libnftables.c
index b169dd2f2afe..a19636b22683 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -293,8 +293,8 @@ void nft_ctx_free(struct nft_ctx *ctx)
 	cache_release(&ctx->cache);
 	nft_ctx_clear_include_paths(ctx);
 	xfree(ctx->state);
-	xfree(ctx);
 	nft_exit(ctx);
+	xfree(ctx);
 }
 
 EXPORT_SYMBOL(nft_ctx_set_output);
-- 
2.11.0




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux