From bbe139fdf5a589499e75d8361efbca6c4add3275 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 7 Jun 2019 12:37:00 +0200
Subject: evaluate: use-after-free in implicit set

 # cat example.nft
 table inet test {
        chain test {
                ip daddr { 2.2.2.2, 4.4.4.4} counter accept
        }
 }
 # valgrind nft -f example.nft

valgrind reports:

==2272== Invalid read of size 4
==2272==    at 0x4E612A5: expr_free (expression.c:86)
==2272==    by 0x4E58EA2: set_free (rule.c:367)
==2272==    by 0x4E612DA: expr_destroy (expression.c:79)
==2272==    by 0x4E612DA: expr_free (expression.c:93)
==2272==    by 0x4E612DA: expr_destroy (expression.c:79)
==2272==    by 0x4E612DA: expr_free (expression.c:93)
==2272==    by 0x4E5D7E7: stmt_free (statement.c:50)
==2272==    by 0x4E5D8B7: stmt_list_free (statement.c:60)
==2272==    by 0x4E590FF: rule_free (rule.c:610)
==2272==    by 0x4E5C094: cmd_free (rule.c:1420)
==2272==    by 0x4E7E7EF: nft_run_cmd_from_filename (libnftables.c:490)
==2272==    by 0x109A53: main (main.c:310)
==2272==  Address 0x65d94c8 is 56 bytes inside a block of size 128 free'd
==2272==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==2272==    by 0x4E6143C: mapping_expr_destroy (expression.c:966)
==2272==    by 0x4E612DA: expr_destroy (expression.c:79)
==2272==    by 0x4E612DA: expr_free (expression.c:93)
==2272==    by 0x4E5D7E7: stmt_free (statement.c:50)
==2272==    by 0x4E5D8B7: stmt_list_free (statement.c:60)
==2272==    by 0x4E590FF: rule_free (rule.c:610)
==2272==    by 0x4E5C094: cmd_free (rule.c:1420)
==2272==    by 0x4E7E7EF: nft_run_cmd_from_filename (libnftables.c:490)
==2272==    by 0x109A53: main (main.c:310)
==2272==  Block was alloc'd at
==2272==    at 0x4C2BBAF: malloc (vg_replace_malloc.c:299)
==2272==    by 0x4E79248: xmalloc (utils.c:36)
==2272==    by 0x4E7932D: xzalloc (utils.c:65)
==2272==    by 0x4E60690: expr_alloc (expression.c:45)
==2272==    by 0x4E68B1D: payload_expr_alloc (payload.c:159)
==2272==    by 0x4E91013: nft_parse (parser_bison.y:4242)
==2272==    by 0x4E7E722: nft_parse_bison_filename (libnftables.c:374)
==2272==    by 0x4E7E722: nft_run_cmd_from_filename (libnftables.c:471)
==2272==    by 0x109A53: main (main.c:310)

Fixes: cc7b37d18a68 ("src: Interpret OP_NEQ against a set as OP_LOOKUP")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 63be2dde..b9660d77 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1689,7 +1689,8 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
 			break;
 		case EXPR_SET:
 			right = rel->right =
-				implicit_set_declaration(ctx, "__set%d", left, right);
+				implicit_set_declaration(ctx, "__set%d",
+							 expr_get(left), right);
 			/* fall through */
 		case EXPR_SET_REF:
 			/* Data for range lookups needs to be in big endian order */
-- 
cgit v1.2.3