parser_bison: close chain scope before chain release

cmd_alloc() will free the chain, so we must close the scope opened in chain_block_alloc beforehand. The included test file will cause a use-after-free because nft attempts to search for an identifier in a scope that has been freed: AddressSanitizer: heap-use-after-free on address 0x618000000368 at pc 0x7f1cbc0e6959 bp 0x7ffd3ccb7850 sp 0x7ffd3ccb7840 #0 0x7f1cbc0e6958 in symbol_lookup src/rule.c:629 #1 0x7f1cbc0e66a1 in symbol_get src/rule.c:588 #2 0x7f1cbc120d67 in nft_parse src/parser_bison.y:4325 Fixes: a66b5ad9540d ("src: allow for updating devices on existing netdev chain") Signed-off-by: Florian Westphal <fw@strlen.de>
author: Florian Westphal <fw@strlen.de> 2023-12-13 11:09:58 +0100
committer: Florian Westphal <fw@strlen.de> 2023-12-13 12:08:17 +0100
commit: 28b3bbec5a97aaa57f7138fee8b2f22ff0e5b960 (patch)
tree: 08b6dda28fac4b1ada6de884d8e7ff6c0c40f0f2 /src/parser_bison.y
parent: 037d58a27d675802286aafb23e409b8c1d3eef56 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y
index ce80bcd9..c69252fe 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1395,6 +1395,7 @@ delete_cmd		:	TABLE		table_or_id_spec
 			{
 				$5->location = @5;
 				handle_merge(&$3->handle, &$2);
+				close_scope(state);
 				$$ = cmd_alloc(CMD_DELETE, CMD_OBJ_CHAIN, &$2, &@$, $5);
 			}
 			|	RULE		ruleid_spec
author	Florian Westphal <fw@strlen.de>	2023-12-13 11:09:58 +0100
committer	Florian Westphal <fw@strlen.de>	2023-12-13 12:08:17 +0100
commit	28b3bbec5a97aaa57f7138fee8b2f22ff0e5b960 (patch)
tree	08b6dda28fac4b1ada6de884d8e7ff6c0c40f0f2 /src/parser_bison.y
parent	037d58a27d675802286aafb23e409b8c1d3eef56 (diff)