diff options
author | Florian Westphal <fw@strlen.de> | 2023-12-13 11:09:58 +0100 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2023-12-13 12:08:17 +0100 |
commit | 28b3bbec5a97aaa57f7138fee8b2f22ff0e5b960 (patch) | |
tree | 08b6dda28fac4b1ada6de884d8e7ff6c0c40f0f2 /src/parser_bison.y | |
parent | 037d58a27d675802286aafb23e409b8c1d3eef56 (diff) |
parser_bison: close chain scope before chain release
cmd_alloc() will free the chain, so we must close the scope opened
in chain_block_alloc beforehand.
The included test file will cause a use-after-free because nft attempts
to search for an identifier in a scope that has been freed:
AddressSanitizer: heap-use-after-free on address 0x618000000368 at pc 0x7f1cbc0e6959 bp 0x7ffd3ccb7850 sp 0x7ffd3ccb7840
#0 0x7f1cbc0e6958 in symbol_lookup src/rule.c:629
#1 0x7f1cbc0e66a1 in symbol_get src/rule.c:588
#2 0x7f1cbc120d67 in nft_parse src/parser_bison.y:4325
Fixes: a66b5ad9540d ("src: allow for updating devices on existing netdev chain")
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src/parser_bison.y')
-rw-r--r-- | src/parser_bison.y | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index ce80bcd9..c69252fe 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1395,6 +1395,7 @@ delete_cmd : TABLE table_or_id_spec { $5->location = @5; handle_merge(&$3->handle, &$2); + close_scope(state); $$ = cmd_alloc(CMD_DELETE, CMD_OBJ_CHAIN, &$2, &@$, $5); } | RULE ruleid_spec |