From 9f06d928d32155fde97bc3ad6d7ca7f78eb6cf67 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 16 Jun 2015 18:10:53 +0200
Subject: netlink: fix use-after-free netlink_events_cache_deltable()

h.table stores a pointer to a nftnl table object that is gone just after
assignment. Release this object once its content is not referenced anymore.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/netlink.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'src/netlink.c')

diff --git a/src/netlink.c b/src/netlink.c
index 1167c951..429eed40 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1982,14 +1982,15 @@ static void netlink_events_cache_deltable(struct netlink_mon_handler *monh,
 	nlt      = netlink_table_alloc(nlh);
 	h.family = nft_table_attr_get_u32(nlt, NFT_TABLE_ATTR_FAMILY);
 	h.table  = nft_table_attr_get_str(nlt, NFT_TABLE_ATTR_NAME);
-	nft_table_free(nlt);
 
 	t = table_lookup(&h);
 	if (t == NULL)
-		return;
+		goto out;
 
 	list_del(&t->list);
 	table_free(t);
+out:
+	nft_table_free(nlt);
 }
 
 static void netlink_events_cache_addset(struct netlink_mon_handler *monh,
-- 
cgit v1.2.3