From b593378b9b2470213af1892053af519801053a7e Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 15 Jul 2020 22:02:18 +0200
Subject: evaluate: UAF in stmt_evaluate_log_prefix()

Release existing list expression including variables after creating the
prefix string.

Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index f12c88a0..67eb5d60 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3291,13 +3291,12 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt)
 	if (len == NF_LOG_PREFIXLEN)
 		return stmt_error(ctx, stmt, "log prefix is too long");
 
+	expr = constant_expr_alloc(&stmt->log.prefix->location, &string_type,
+				   BYTEORDER_HOST_ENDIAN,
+				   strlen(prefix) * BITS_PER_BYTE, prefix);
 	expr_free(stmt->log.prefix);
+	stmt->log.prefix = expr;
 
-	stmt->log.prefix =
-		constant_expr_alloc(&stmt->log.prefix->location, &string_type,
-				    BYTEORDER_HOST_ENDIAN,
-				    strlen(prefix) * BITS_PER_BYTE,
-				    prefix);
 	return 0;
 }
 
-- 
cgit v1.2.3