diff options
author | Carlos Falgueras García <carlosfg@riseup.net> | 2016-05-17 18:00:15 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-05-25 10:28:24 +0200 |
commit | 0edd209705bc4cf9d2a9e17084310c02d81f4d64 (patch) | |
tree | 13f2c0efba30cc9479a295d7afee6164e3143723 /src/rule.c | |
parent | e4e00c94a2591ef5367d559a4087dde3071e7833 (diff) |
rule: Fix segfault due to invalid free of rule user data
If the user allocates a nftnl_udata_buf and then passes the TLV data to
nftnl_rule_set_data, the pointer stored in rule.user.data is not the
begining of the allocated block. In this situation, if it calls to
nftnl_rule_free, it tries to free this pointer and segfault is thrown.
Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/rule.c')
-rw-r--r-- | src/rule.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -167,7 +167,11 @@ void nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, if (r->user.data != NULL) xfree(r->user.data); - r->user.data = (void *)data; + r->user.data = malloc(data_len); + if (!r->user.data) + return; + + memcpy(r->user.data, data, data_len); r->user.len = data_len; break; } |