From 0d3f59cbe70f55f220fafd1ffff043a35a0d4503 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Tue, 29 Jan 2019 18:12:15 +0100 Subject: [PATCH] flowtable: Fix use after free in two spots Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1661327 Upstream Status: libnftnl commit 822dc96815e96 commit 822dc96815e96465822ce4b1187c4b29c06cb7c1 Author: Phil Sutter Date: Thu Dec 20 21:03:29 2018 +0100 flowtable: Fix use after free in two spots When freeing flowtable devices array, the loop freeing each device string incorrectly included the call to free the device array itself. Fixes: eb58f53372e74 ("src: add flowtable support") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso --- src/flowtable.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/flowtable.c b/src/flowtable.c index aa6ce59..61ff29b 100644 --- a/src/flowtable.c +++ b/src/flowtable.c @@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr) case NFTNL_FLOWTABLE_FLAGS: break; case NFTNL_FLOWTABLE_DEVICES: - for (i = 0; i < c->dev_array_len; i++) { + for (i = 0; i < c->dev_array_len; i++) xfree(c->dev_array[i]); - xfree(c->dev_array); - } + xfree(c->dev_array); break; default: return; @@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr, len++; if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) { - for (i = 0; i < c->dev_array_len; i++) { + for (i = 0; i < c->dev_array_len; i++) xfree(c->dev_array[i]); - xfree(c->dev_array); - } + xfree(c->dev_array); } c->dev_array = calloc(len + 1, sizeof(char *)); -- 1.8.3.1