diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 22:02:18 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 22:05:12 +0200 |
commit | b593378b9b2470213af1892053af519801053a7e (patch) | |
tree | b69e8e771542132b54c8bfb7fc6db8184680f19f /src | |
parent | b4c9900c895fd55788912d62063cf107a27b68e0 (diff) |
evaluate: UAF in stmt_evaluate_log_prefix()
Release existing list expression including variables after creating the
prefix string.
Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
-rw-r--r-- | src/evaluate.c | 9 |
1 files changed, 4 insertions, 5 deletions
diff --git a/src/evaluate.c b/src/evaluate.c index f12c88a0..67eb5d60 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3291,13 +3291,12 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt) if (len == NF_LOG_PREFIXLEN) return stmt_error(ctx, stmt, "log prefix is too long"); + expr = constant_expr_alloc(&stmt->log.prefix->location, &string_type, + BYTEORDER_HOST_ENDIAN, + strlen(prefix) * BITS_PER_BYTE, prefix); expr_free(stmt->log.prefix); + stmt->log.prefix = expr; - stmt->log.prefix = - constant_expr_alloc(&stmt->log.prefix->location, &string_type, - BYTEORDER_HOST_ENDIAN, - strlen(prefix) * BITS_PER_BYTE, - prefix); return 0; } |