From a8b0e09ad01eed49ad0d1272665c48789d417dba Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 22 May 2014 14:29:23 +0200 Subject: netlink_delinearize: fix double free in relational_binop_postprocess() free(expr->right) and free(value) point to the same object, so one single free() is enough. This manifests in valgrind with: ==4020== Invalid read of size 4 ==4020== at 0x40A429: expr_free (expression.c:65) ==4020== by 0x414032: expr_postprocess (netlink_delinearize.c:747) ==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883) ==4020== by 0x411305: netlink_events_cb (netlink.c:1692) ==4020== by 0x55040AD: mnl_cb_run (callback.c:77) ==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45) ==4020== by 0x407B44: do_command (rule.c:895) ==4020== by 0x405C6C: nft_run (main.c:183) ==4020== by 0x405849: main (main.c:334) ==4020== Address 0x5d126f8 is 56 bytes inside a block of size 120 free'd ==4020== at 0x4C2AF5C: free (vg_replace_malloc.c:446) ==4020== by 0x41402A: expr_postprocess (netlink_delinearize.c:746) ==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883) ==4020== by 0x411305: netlink_events_cb (netlink.c:1692) ==4020== by 0x55040AD: mnl_cb_run (callback.c:77) ==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45) ==4020== by 0x407B44: do_command (rule.c:895) ==4020== by 0x405C6C: nft_run (main.c:183) ==4020== by 0x405849: main (main.c:334) ==4020== Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 1 - 1 file changed, 1 deletion(-) (limited to 'src') diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 62cbf0e4..479c6439 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -743,7 +743,6 @@ static void relational_binop_postprocess(struct expr *expr) * Split the flags into a list of flag values and convert the * op to OP_FLAGCMP. */ - expr_free(expr->right); expr_free(value); expr->left = expr_get(binop->left); -- cgit v1.2.3