Re: [PATCH nft] evaluate: fix double free on dtype release

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Tue, 5 Dec 2023 15:19:35 +0100

On Tue, Dec 05, 2023 at 01:08:17PM +0100, Florian Westphal wrote:
> We release ->dtype twice, will either segfault or assert
> on dtype->refcount != 0 check in datatype_free().
> 
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> ---
>  src/evaluate.c                                              | 2 +-
>  .../bogons/nft-f/double-free-on-binop-dtype_assert          | 6 ++++++
>  2 files changed, 7 insertions(+), 1 deletion(-)
>  create mode 100644 tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert
> 
> diff --git a/src/evaluate.c b/src/evaluate.c
> index 16ad6473db1a..58cc811aca9a 100644
> --- a/src/evaluate.c
> +++ b/src/evaluate.c
> @@ -1171,7 +1171,7 @@ static int expr_evaluate_prefix(struct eval_ctx *ctx, struct expr **expr)
>  	base = prefix->prefix;
>  	assert(expr_is_constant(base));
>  
> -	prefix->dtype	  = base->dtype;
> +	prefix->dtype	  = datatype_get(base->dtype);

I prefer datatype_clone() just in case base->dtype gets updated for
whatever reason.

>  	prefix->byteorder = base->byteorder;
>  	prefix->len	  = base->len;
>  	prefix->flags	 |= EXPR_F_CONSTANT;
> diff --git a/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert
> new file mode 100644
> index 000000000000..b7a9a1cc7e8b
> --- /dev/null
> +++ b/tests/shell/testcases/bogons/nft-f/double-free-on-binop-dtype_assert
> @@ -0,0 +1,6 @@
> +table inet t {
> +	chain c {
> +		udp length . @th,160,118 vmap { 47-63 . 0xe3731353631303331313037353532/3 : accept }
> +		jump noexist # only here so this fails to load after patch.
> +	}
> +}
> -- 
> 2.41.0
> 
> 