[PATCH nft 1/7] json: fix use after free in table_flags_json()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Valgrind complains about this:

  ==286== Invalid read of size 4
  ==286==    at 0x49B0261: do_dump (dump.c:211)
  ==286==    by 0x49B08B8: do_dump (dump.c:378)
  ==286==    by 0x49B08B8: do_dump (dump.c:378)
  ==286==    by 0x49B04F7: do_dump (dump.c:273)
  ==286==    by 0x49B08B8: do_dump (dump.c:378)
  ==286==    by 0x49B0E84: json_dump_callback (dump.c:465)
  ==286==    by 0x48AF22A: do_command_list_json (json.c:2016)
  ==286==    by 0x48732F1: do_command_list (rule.c:2335)
  ==286==    by 0x48737F5: do_command (rule.c:2605)
  ==286==    by 0x48A867D: nft_netlink (libnftables.c:42)
  ==286==    by 0x48A92B1: nft_run_cmd_from_buffer (libnftables.c:597)
  ==286==    by 0x402CBA: main (main.c:533)
  ==286==  Address 0x5038650 is 0 bytes inside a block of size 32 free'd
  ==286==    at 0x48452AC: free (vg_replace_malloc.c:974)
  ==286==    by 0x49AECDD: UnknownInlinedFun (jansson.h:133)
  ==286==    by 0x49AECDD: UnknownInlinedFun (jansson.h:131)
  ==286==    by 0x49AECDD: UnknownInlinedFun (value.c:398)
  ==286==    by 0x49AECDD: json_delete (value.c:953)
  ==286==    by 0x48A9F61: json_decref (jansson.h:133)
  ==286==    by 0x48AA4AA: table_flags_json (json.c:494)
  ==286==    by 0x48AA52B: table_print_json (json.c:510)
  ==286==    by 0x48ABBAE: table_print_json_full (json.c:1695)
  ==286==    by 0x48ABD48: do_list_ruleset_json (json.c:1739)
  ==286==    by 0x48AF2A0: do_command_list_json (json.c:1962)
  ==286==    by 0x48732F1: do_command_list (rule.c:2335)
  ==286==    by 0x48737F5: do_command (rule.c:2605)
  ==286==    by 0x48A867D: nft_netlink (libnftables.c:42)
  ==286==    by 0x48A92B1: nft_run_cmd_from_buffer (libnftables.c:597)
  ==286==    by 0x402CBA: main (main.c:533)
  ==286==  Block was alloc'd at
  ==286==    at 0x484282F: malloc (vg_replace_malloc.c:431)
  ==286==    by 0x49AE4EA: UnknownInlinedFun (memory.c:27)
  ==286==    by 0x49AE4EA: UnknownInlinedFun (value.c:676)
  ==286==    by 0x49AE4EA: json_stringn_nocheck (value.c:696)
  ==286==    by 0x48AA464: table_flags_json (json.c:482)
  ==286==    by 0x48AA52B: table_print_json (json.c:510)
  ==286==    by 0x48ABBAE: table_print_json_full (json.c:1695)
  ==286==    by 0x48ABD48: do_list_ruleset_json (json.c:1739)
  ==286==    by 0x48AF2A0: do_command_list_json (json.c:1962)
  ==286==    by 0x48732F1: do_command_list (rule.c:2335)
  ==286==    by 0x48737F5: do_command (rule.c:2605)
  ==286==    by 0x48A867D: nft_netlink (libnftables.c:42)
  ==286==    by 0x48A92B1: nft_run_cmd_from_buffer (libnftables.c:597)
  ==286==    by 0x402CBA: main (main.c:533)

Fixes: e70354f53e9f ("libnftables: Implement JSON output support")
Signed-off-by: Thomas Haller <thaller@xxxxxxxxxx>
---
 src/json.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/json.c b/src/json.c
index 068c423addc7..c0ccf06d85b4 100644
--- a/src/json.c
+++ b/src/json.c
@@ -496,7 +496,7 @@ static json_t *table_flags_json(const struct table *table)
 		json_decref(root);
 		return NULL;
 	case 1:
-		json_unpack(root, "[o]", &tmp);
+		json_unpack(root, "[O]", &tmp);
 		json_decref(root);
 		root = tmp;
 		break;
-- 
2.41.0




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux