summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2012-12-10 16:20:14 +0100
committerPatrick McHardy <kaber@trash.net>2012-12-10 16:20:30 +0100
commit176698a280d24840b745a7ab57c553655e7dd1a6 (patch)
tree1d08988b5928c50cb6141f49de95266d1dfc0036
parent7a5d23be7c1e25d3fb1130604dedf244abfa2ac4 (diff)
cmd: fix handle use after free for implicit set declarations
The implicit set declaration passes the set's handle to cmd_alloc(), which copies the pointers to the allocated strings. Later on both the set's handle and the commands handle are freed, resulting in a use after free. Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--src/evaluate.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/src/evaluate.c b/src/evaluate.c
index 01c6bd78..906c1002 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -76,6 +76,7 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx,
{
struct cmd *cmd;
struct set *set;
+ struct handle h;
set = set_alloc(&expr->location);
set->flags = SET_F_CONSTANT | SET_F_ANONYMOUS | expr->set_flags;
@@ -88,7 +89,9 @@ static struct expr *implicit_set_declaration(struct eval_ctx *ctx,
list_add_tail(&set->list, &ctx->table->sets);
else {
handle_merge(&set->handle, &ctx->cmd->handle);
- cmd = cmd_alloc(CMD_ADD, CMD_OBJ_SET, &set->handle, set);
+ memset(&h, 0, sizeof(h));
+ handle_merge(&h, &set->handle);
+ cmd = cmd_alloc(CMD_ADD, CMD_OBJ_SET, &h, set);
cmd->location = set->location;
list_add_tail(&cmd->list, &ctx->cmd->list);
}