78 lines
2.4 KiB
Diff
78 lines
2.4 KiB
Diff
|
From 64b18b08a4c7ff6baeca536100e34aacbbafa7f3 Mon Sep 17 00:00:00 2001
|
||
|
From: Phil Sutter <psutter@redhat.com>
|
||
|
Date: Thu, 26 Oct 2023 18:05:02 +0200
|
||
|
Subject: [PATCH] set: Do not leave free'd expr_list elements in place
|
||
|
|
||
|
JIRA: https://issues.redhat.com/browse/RHEL-14149
|
||
|
Upstream Status: libnftnl commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
|
||
|
|
||
|
commit 3eaa940bc33a3186dc7ba1e30640ec79b5f261b9
|
||
|
Author: Phil Sutter <phil@nwl.cc>
|
||
|
Date: Wed May 31 14:09:09 2023 +0200
|
||
|
|
||
|
set: Do not leave free'd expr_list elements in place
|
||
|
|
||
|
When freeing elements, remove them also to prevent a potential UAF.
|
||
|
|
||
|
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1685
|
||
|
Fixes: 3469f09286cee ("src: add NFTNL_SET_EXPRESSIONS")
|
||
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
|
||
|
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
||
|
---
|
||
|
src/set.c | 16 ++++++++++++----
|
||
|
1 file changed, 12 insertions(+), 4 deletions(-)
|
||
|
|
||
|
diff --git a/src/set.c b/src/set.c
|
||
|
index c46f827..719e596 100644
|
||
|
--- a/src/set.c
|
||
|
+++ b/src/set.c
|
||
|
@@ -54,8 +54,10 @@ void nftnl_set_free(const struct nftnl_set *s)
|
||
|
if (s->flags & (1 << NFTNL_SET_USERDATA))
|
||
|
xfree(s->user.data);
|
||
|
|
||
|
- list_for_each_entry_safe(expr, next, &s->expr_list, head)
|
||
|
+ list_for_each_entry_safe(expr, next, &s->expr_list, head) {
|
||
|
+ list_del(&expr->head);
|
||
|
nftnl_expr_free(expr);
|
||
|
+ }
|
||
|
|
||
|
list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
|
||
|
list_del(&elem->head);
|
||
|
@@ -105,8 +107,10 @@ void nftnl_set_unset(struct nftnl_set *s, uint16_t attr)
|
||
|
break;
|
||
|
case NFTNL_SET_EXPR:
|
||
|
case NFTNL_SET_EXPRESSIONS:
|
||
|
- list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
|
||
|
+ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
|
||
|
+ list_del(&expr->head);
|
||
|
nftnl_expr_free(expr);
|
||
|
+ }
|
||
|
break;
|
||
|
default:
|
||
|
return;
|
||
|
@@ -210,8 +214,10 @@ int nftnl_set_set_data(struct nftnl_set *s, uint16_t attr, const void *data,
|
||
|
s->user.len = data_len;
|
||
|
break;
|
||
|
case NFTNL_SET_EXPR:
|
||
|
- list_for_each_entry_safe(expr, tmp, &s->expr_list, head)
|
||
|
+ list_for_each_entry_safe(expr, tmp, &s->expr_list, head) {
|
||
|
+ list_del(&expr->head);
|
||
|
nftnl_expr_free(expr);
|
||
|
+ }
|
||
|
|
||
|
expr = (void *)data;
|
||
|
list_add(&expr->head, &s->expr_list);
|
||
|
@@ -742,8 +748,10 @@ int nftnl_set_nlmsg_parse(const struct nlmsghdr *nlh, struct nftnl_set *s)
|
||
|
|
||
|
return 0;
|
||
|
out_set_expr:
|
||
|
- list_for_each_entry_safe(expr, next, &s->expr_list, head)
|
||
|
+ list_for_each_entry_safe(expr, next, &s->expr_list, head) {
|
||
|
+ list_del(&expr->head);
|
||
|
nftnl_expr_free(expr);
|
||
|
+ }
|
||
|
|
||
|
return -1;
|
||
|
}
|