netlink_delinearize: fix use-after-free

We have to clone the payload expression before attaching it to the lhs of the relational expression, this payload expression is located at the lhs of the binary operation that is released thereafter. Fixes: 39f15c2 ("nft: support listing expressions that use non-byte header fields") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-11-26 16:20:55 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-11-28 13:48:37 +0100
commit: 972b03b43de3c896a0ff158110f0e7d978e7192e (patch)
tree: fd9b28691a2aefccf08fea68e4e863287b11afdd
parent: 947b4fe19a742057093341975b4e33c962ef1446 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 4a85395f..3e1f912c 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -1188,8 +1188,8 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e
 	} else if (binop->op == OP_AND &&
 		   binop->left->ops->type == EXPR_PAYLOAD &&
 		   binop->right->ops->type == EXPR_VALUE) {
-		struct expr *payload = expr->left->left;
-		struct expr *mask = expr->left->right;
+		struct expr *payload = binop->left;
+		struct expr *mask = binop->right;
 
 		/*
 		 * This *might* be a payload match testing header fields that
@@ -1237,7 +1237,7 @@ static void relational_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *e
 			assert(expr->left->ops->type == EXPR_BINOP);
 
 			assert(binop->left == payload);
-			expr->left = payload;
+			expr->left = expr_get(payload);
 			expr_free(binop);
 		}
 	}
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-11-26 16:20:55 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-11-28 13:48:37 +0100
commit	972b03b43de3c896a0ff158110f0e7d978e7192e (patch)
tree	fd9b28691a2aefccf08fea68e4e863287b11afdd
parent	947b4fe19a742057093341975b4e33c962ef1446 (diff)