diff mbox series

[nft] parser_bison: fix UaF when reporting table parse error

Message ID 20250107225509.6539-1-fw@strlen.de
State Accepted, archived
Headers show
Series [nft] parser_bison: fix UaF when reporting table parse error | expand

Commit Message

Florian Westphal Jan. 7, 2025, 10:55 p.m. UTC 
It passed already-freed memory to erec function.  Found with afl++ and asan.

Fixes: 4955ae1a81b7 ("Add support for table's persist flag")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 src/parser_bison.y | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Pablo Neira Ayuso Jan. 7, 2025, 11:53 p.m. UTC | #1 
On Tue, Jan 07, 2025 at 11:55:06PM +0100, Florian Westphal wrote:
> It passed already-freed memory to erec function.  Found with afl++ and asan.
> 
> Fixes: 4955ae1a81b7 ("Add support for table's persist flag")
> Signed-off-by: Florian Westphal <fw@strlen.de>

Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>

> ---
>  src/parser_bison.y | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/src/parser_bison.y b/src/parser_bison.y
> index 6e6f3cf8335d..7ab15244be52 100644
> --- a/src/parser_bison.y
> +++ b/src/parser_bison.y
> @@ -1943,12 +1943,14 @@ table_flags		:	table_flag
>  table_flag		:	STRING
>  			{
>  				$$ = parse_table_flag($1);
> -				free_const($1);
>  				if ($$ == 0) {
>  					erec_queue(error(&@1, "unknown table option %s", $1),
>  						   state->msgs);
> +					free_const($1);
>  					YYERROR;
>  				}
> +
> +				free_const($1);
>  			}
>  			;
>  
> -- 
> 2.45.2
> 
>
diff mbox series

Patch

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 6e6f3cf8335d..7ab15244be52 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1943,12 +1943,14 @@  table_flags		:	table_flag
 table_flag		:	STRING
 			{
 				$$ = parse_table_flag($1);
-				free_const($1);
 				if ($$ == 0) {
 					erec_queue(error(&@1, "unknown table option %s", $1),
 						   state->msgs);
+					free_const($1);
 					YYERROR;
 				}
+
+				free_const($1);
 			}
 			;