| Message ID | 20240903154918.17211-1-phil@nwl.cc |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [nft] libnftables: Zero ctx->vars after freeing it | expand |
On Tue, Sep 03, 2024 at 05:49:18PM +0200, Phil Sutter wrote: > Leaving the invalid pointer value in place will cause a double-free when > users call nft_ctx_clear_vars() first, then nft_ctx_free(). Moreover, > nft_ctx_add_var() passes the pointer to mrealloc() and thus assumes it > to be either NULL or valid. > > Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1772 > Fixes: 9edaa6a51eab4 ("src: add --define key=value") > Signed-off-by: Phil Sutter <phil@nwl.cc> Patch applied.
diff --git a/src/libnftables.c b/src/libnftables.c index 7fc81515258d1..2ae215013cb0a 100644 --- a/src/libnftables.c +++ b/src/libnftables.c @@ -160,6 +160,7 @@ void nft_ctx_clear_vars(struct nft_ctx *ctx) } ctx->num_vars = 0; free(ctx->vars); + ctx->vars = NULL; } EXPORT_SYMBOL(nft_ctx_add_include_path);
Leaving the invalid pointer value in place will cause a double-free when users call nft_ctx_clear_vars() first, then nft_ctx_free(). Moreover, nft_ctx_add_var() passes the pointer to mrealloc() and thus assumes it to be either NULL or valid. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1772 Fixes: 9edaa6a51eab4 ("src: add --define key=value") Signed-off-by: Phil Sutter <phil@nwl.cc> --- src/libnftables.c | 1 + 1 file changed, 1 insertion(+)