summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2022-06-01 10:14:22 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2022-06-01 10:35:16 +0200
commit59bd944f6d75e99fe0c8d743e7fd482672640c2d (patch)
treed2700e3bb28001352f801c698803772470516970
parent87fdf683fb5aec51ce8c399aa28a0db0d2adb69a (diff)
optimize: segfault when releasing unsupported statement
Call xfree() instead since stmt_alloc() does not initialize the statement type fields. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1609 Fixes: ea1f1c9ff608 ("optimize: memleak in statement matrix") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/optimize.c2
-rw-r--r--tests/shell/testcases/optimizations/dumps/merge_vmaps.nft7
-rwxr-xr-xtests/shell/testcases/optimizations/merge_vmaps5
3 files changed, 13 insertions, 1 deletions
diff --git a/src/optimize.c b/src/optimize.c
index d6dfffec..3a3049d4 100644
--- a/src/optimize.c
+++ b/src/optimize.c
@@ -304,7 +304,7 @@ static int rule_collect_stmts(struct optimize_ctx *ctx, struct rule *rule)
clone->nat.type_flags = stmt->nat.type_flags;
break;
default:
- stmt_free(clone);
+ xfree(clone);
continue;
}
diff --git a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
index 05b9e575..c981acf0 100644
--- a/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
+++ b/tests/shell/testcases/optimizations/dumps/merge_vmaps.nft
@@ -1,4 +1,10 @@
table ip x {
+ set s {
+ type ipv4_addr
+ size 65535
+ flags dynamic
+ }
+
chain filter_in_tcp {
}
@@ -6,6 +12,7 @@ table ip x {
}
chain y {
+ update @s { ip saddr limit rate 12/minute burst 30 packets } accept
tcp dport vmap { 80 : accept, 81 : accept, 443 : accept, 8000-8100 : accept, 24000-25000 : accept }
meta l4proto vmap { tcp : goto filter_in_tcp, udp : goto filter_in_udp }
log
diff --git a/tests/shell/testcases/optimizations/merge_vmaps b/tests/shell/testcases/optimizations/merge_vmaps
index 0922a221..e2e4be15 100755
--- a/tests/shell/testcases/optimizations/merge_vmaps
+++ b/tests/shell/testcases/optimizations/merge_vmaps
@@ -3,11 +3,16 @@
set -e
RULESET="table ip x {
+ set s {
+ type ipv4_addr
+ flags dynamic
+ }
chain filter_in_tcp {
}
chain filter_in_udp {
}
chain y {
+ update @s { ip saddr limit rate 12/minute burst 30 packets } accept
tcp dport vmap {
80 : accept,
81 : accept,