From 0edd209705bc4cf9d2a9e17084310c02d81f4d64 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Carlos=20Falgueras=20Garc=C3=ADa?= Date: Tue, 17 May 2016 18:00:15 +0200 Subject: rule: Fix segfault due to invalid free of rule user data MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the user allocates a nftnl_udata_buf and then passes the TLV data to nftnl_rule_set_data, the pointer stored in rule.user.data is not the begining of the allocated block. In this situation, if it calls to nftnl_rule_free, it tries to free this pointer and segfault is thrown. Signed-off-by: Carlos Falgueras GarcĂ­a Signed-off-by: Pablo Neira Ayuso --- src/rule.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'src/rule.c') diff --git a/src/rule.c b/src/rule.c index c299548..8ee8648 100644 --- a/src/rule.c +++ b/src/rule.c @@ -167,7 +167,11 @@ void nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr, if (r->user.data != NULL) xfree(r->user.data); - r->user.data = (void *)data; + r->user.data = malloc(data_len); + if (!r->user.data) + return; + + memcpy(r->user.data, data, data_len); r->user.len = data_len; break; } -- cgit v1.2.3