diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-22 14:29:23 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2014-05-22 16:20:57 +0200 |
commit | a8b0e09ad01eed49ad0d1272665c48789d417dba (patch) | |
tree | 38648cbefdede30e3dd2d2ccd677f2666ff1de14 /src | |
parent | 4986a0e3745aedb7aae8aa93202a4460a0e36866 (diff) |
netlink_delinearize: fix double free in relational_binop_postprocess()
free(expr->right) and free(value) point to the same object, so one
single free() is enough.
This manifests in valgrind with:
==4020== Invalid read of size 4
==4020== at 0x40A429: expr_free (expression.c:65)
==4020== by 0x414032: expr_postprocess (netlink_delinearize.c:747)
==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020== by 0x411305: netlink_events_cb (netlink.c:1692)
==4020== by 0x55040AD: mnl_cb_run (callback.c:77)
==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020== by 0x407B44: do_command (rule.c:895)
==4020== by 0x405C6C: nft_run (main.c:183)
==4020== by 0x405849: main (main.c:334)
==4020== Address 0x5d126f8 is 56 bytes inside a block of size 120 free'd
==4020== at 0x4C2AF5C: free (vg_replace_malloc.c:446)
==4020== by 0x41402A: expr_postprocess (netlink_delinearize.c:746)
==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020== by 0x411305: netlink_events_cb (netlink.c:1692)
==4020== by 0x55040AD: mnl_cb_run (callback.c:77)
==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020== by 0x407B44: do_command (rule.c:895)
==4020== by 0x405C6C: nft_run (main.c:183)
==4020== by 0x405849: main (main.c:334)
==4020==
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/netlink_delinearize.c | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 62cbf0e4..479c6439 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -743,7 +743,6 @@ static void relational_binop_postprocess(struct expr *expr) * Split the flags into a list of flag values and convert the * op to OP_FLAGCMP. */ - expr_free(expr->right); expr_free(value); expr->left = expr_get(binop->left); |