evaluate: UAF in stmt_evaluate_log_prefix()

Release existing list expression including variables after creating the prefix string. Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2020-07-15 22:02:18 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-07-15 22:05:12 +0200
commit: b593378b9b2470213af1892053af519801053a7e (patch)
tree: b69e8e771542132b54c8bfb7fc6db8184680f19f
parent: b4c9900c895fd55788912d62063cf107a27b68e0 (diff)
1 files changed, 4 insertions, 5 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index f12c88a0..67eb5d60 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3291,13 +3291,12 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt)
 	if (len == NF_LOG_PREFIXLEN)
 		return stmt_error(ctx, stmt, "log prefix is too long");
 
+	expr = constant_expr_alloc(&stmt->log.prefix->location, &string_type,
+				   BYTEORDER_HOST_ENDIAN,
+				   strlen(prefix) * BITS_PER_BYTE, prefix);
 	expr_free(stmt->log.prefix);
+	stmt->log.prefix = expr;
 
-	stmt->log.prefix =
-		constant_expr_alloc(&stmt->log.prefix->location, &string_type,
-				    BYTEORDER_HOST_ENDIAN,
-				    strlen(prefix) * BITS_PER_BYTE,
-				    prefix);
 	return 0;
 }
author	Pablo Neira Ayuso <pablo@netfilter.org>	2020-07-15 22:02:18 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-07-15 22:05:12 +0200
commit	b593378b9b2470213af1892053af519801053a7e (patch)
tree	b69e8e771542132b54c8bfb7fc6db8184680f19f
parent	b4c9900c895fd55788912d62063cf107a27b68e0 (diff)