summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2019-09-11 13:52:43 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2019-09-11 13:55:33 +0200
commit80ac631e0eae75f47962aa73d74d2d9c0a0ddaaa (patch)
treeb1008a8585fc5d3a0664503d620d81158020ce1f
parent805969ec63f22303d89a25dd8aa23d54dc65bf73 (diff)
libnftables: use-after-free in exit path
==29699== Invalid read of size 8 ==29699== at 0x507E140: ct_label_table_exit (ct.c:239) ==29699== by 0x5091877: nft_exit (libnftables.c:97) ==29699== by 0x5091877: nft_ctx_free (libnftables.c:297) [...] ==29699== Address 0xb251008 is 136 bytes inside a block of size 352 free'd ==29699== at 0x4C2CDDB: free (vg_replace_malloc.c:530) ==29699== by 0x509186F: nft_ctx_free (libnftables.c:296) [...] ==29699== Block was alloc'd at ==29699== at 0x4C2DBC5: calloc (vg_replace_malloc.c:711) ==29699== by 0x508C51D: xmalloc (utils.c:36) ==29699== by 0x508C51D: xzalloc (utils.c:65) ==29699== by 0x50916BE: nft_ctx_new (libnftables.c:151) [...] Release symbol tables before context object. Fixes: 45cb29a2ada4 ("src: remove global symbol_table") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/libnftables.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libnftables.c b/src/libnftables.c
index b169dd2f..a19636b2 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -293,8 +293,8 @@ void nft_ctx_free(struct nft_ctx *ctx)
cache_release(&ctx->cache);
nft_ctx_clear_include_paths(ctx);
xfree(ctx->state);
- xfree(ctx);
nft_exit(ctx);
+ xfree(ctx);
}
EXPORT_SYMBOL(nft_ctx_set_output);