rule: Fix segfault due to invalid free of rule user data

If the user allocates a nftnl_udata_buf and then passes the TLV data to nftnl_rule_set_data, the pointer stored in rule.user.data is not the begining of the allocated block. In this situation, if it calls to nftnl_rule_free, it tries to free this pointer and segfault is thrown. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Carlos Falgueras García <carlosfg@riseup.net> 2016-05-17 18:00:15 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2016-05-25 10:28:24 +0200
commit: 0edd209705bc4cf9d2a9e17084310c02d81f4d64 (patch)
tree: 13f2c0efba30cc9479a295d7afee6164e3143723 /src
parent: e4e00c94a2591ef5367d559a4087dde3071e7833 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/src/rule.c b/src/rule.c
index c299548..8ee8648 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -167,7 +167,11 @@ void nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
 		if (r->user.data != NULL)
 			xfree(r->user.data);
 
-		r->user.data = (void *)data;
+		r->user.data = malloc(data_len);
+		if (!r->user.data)
+			return;
+
+		memcpy(r->user.data, data, data_len);
 		r->user.len = data_len;
 		break;
 	}
author	Carlos Falgueras García <carlosfg@riseup.net>	2016-05-17 18:00:15 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2016-05-25 10:28:24 +0200
commit	0edd209705bc4cf9d2a9e17084310c02d81f4d64 (patch)
tree	13f2c0efba30cc9479a295d7afee6164e3143723 /src
parent	e4e00c94a2591ef5367d559a4087dde3071e7833 (diff)