diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2018-08-22 11:22:53 +0200 |
|---|---|---|
| committer | Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> | 2018-08-27 13:40:09 +0200 |
| commit | 623f05ed26bd7b3580954a2b495047ae976d360b (patch) | |
| tree | d5aaaf1d78a026aad5ffa389488e7b7dc353c8cf | |
| parent | a758a6cdb3f5fbb81ab1b9aa7ffbbc0f7940f10e (diff) | |
Fix use-after-free in ipset_parse_name_compat()
When check_setname is used in ipset_parse_name_compat(), the
'str' and 'saved' macro arguments point in fact to the same
buffer. Free the 'saved' argument only after using it.
While at it, remove a useless NULL check on 'saved'.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
| -rw-r--r-- | lib/parse.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/lib/parse.c b/lib/parse.c index 9a79ccd..4963d51 100644 --- a/lib/parse.c +++ b/lib/parse.c @@ -1396,10 +1396,11 @@ ipset_parse_iptimeout(struct ipset_session *session, #define check_setname(str, saved) \ do { \ if (strlen(str) > IPSET_MAXNAMELEN - 1) { \ - if (saved != NULL) \ - free(saved); \ - return syntax_err("setname '%s' is longer than %u characters",\ + int err; \ + err = syntax_err("setname '%s' is longer than %u characters",\ str, IPSET_MAXNAMELEN - 1); \ + free(saved); \ + return err; \ } \ } while (0) |