diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-28 19:49:26 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-29 23:40:58 +0200 |
commit | 6ea8974ff7fb822af1d9d2049c3fb2c167767a8f (patch) | |
tree | 5974a5fb85e009f281b6fec433ed698dc37c34ae | |
parent | 1b5fdcbb3564fdb52cc11dedbb446701f3ce53e6 (diff) |
evaluate: UAF in hook priority expression
Release priority expression right before assigning the constant
expression that results from the evaluation.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/evaluate.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index a9822ebc..a99b1143 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3707,7 +3707,6 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio, mpz_export_data(prio_str, prio->expr->value, BYTEORDER_HOST_ENDIAN, NFT_NAME_MAXLEN); loc = prio->expr->location; - expr_free(prio->expr); if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) { priority = std_prio_lookup(prio_str, family, hook); @@ -3724,6 +3723,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio, else return false; } + expr_free(prio->expr); prio->expr = constant_expr_alloc(&loc, &integer_type, BYTEORDER_HOST_ENDIAN, sizeof(int) * BITS_PER_BYTE, |