netlink: fix use-after-free netlink_events_cache_deltable()

h.table stores a pointer to a nftnl table object that is gone just after assignment. Release this object once its content is not referenced anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2015-06-16 18:10:53 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2015-06-16 18:11:15 +0200
commit: 9f06d928d32155fde97bc3ad6d7ca7f78eb6cf67 (patch)
tree: a2ee772f61af64fc456cfaa0fc058fe75f3f78e2 /src/netlink.c
parent: 2baf59cfe686877ced6adee5f2b0d50c1a1c9845 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/netlink.c b/src/netlink.c
index 1167c951..429eed40 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1982,14 +1982,15 @@ static void netlink_events_cache_deltable(struct netlink_mon_handler *monh,
 	nlt      = netlink_table_alloc(nlh);
 	h.family = nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY);
 	h.table  = nft_table_attr_get_str(nlt, NFT_TABLE_ATTR_NAME);
-	nft_table_free(nlt);
 
 	t = table_lookup(&h);
 	if (t == NULL)
-		return;
+		goto out;
 
 	list_del(&t->list);
 	table_free(t);
+out:
+	nft_table_free(nlt);
 }
 
 static void netlink_events_cache_addset(struct netlink_mon_handler *monh,
author	Pablo Neira Ayuso <pablo@netfilter.org>	2015-06-16 18:10:53 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2015-06-16 18:11:15 +0200
commit	9f06d928d32155fde97bc3ad6d7ca7f78eb6cf67 (patch)
tree	a2ee772f61af64fc456cfaa0fc058fe75f3f78e2 /src/netlink.c
parent	2baf59cfe686877ced6adee5f2b0d50c1a1c9845 (diff)