Message ID | b7a5a0e246bbe94de1f14594586e1ce75dc311bb.1406906631.git.tgraf@suug.ch |
---|---|
State | Accepted |
Delegated to: | Pablo Neira |
Headers | show |
On Fri, Aug 01, 2014 at 05:25:38PM +0200, Thomas Graf wrote: > nft_del_setelem() currently calls nft_data_uninit() twice on the same > key. Once to release the key which is guaranteed to be NFT_DATA_VALUE > and a second time in the error path to which it falls through. > > The second call has been harmless so far though because the type > passed is always NFT_DATA_VALUE which is currently a no-op. Applied, thanks Thomas. BTW, this bug seems to be there since the very beginning: http://lxr.free-electrons.com/source/net/netfilter/nf_tables_api.c?v=3.13#L2735 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 8746ff9..b35ba83 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3218,6 +3218,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, if (set->flags & NFT_SET_MAP) nft_data_uninit(&elem.data, set->dtype); + return 0; err2: nft_data_uninit(&elem.key, desc.type); err1:
nft_del_setelem() currently calls nft_data_uninit() twice on the same key. Once to release the key which is guaranteed to be NFT_DATA_VALUE and a second time in the error path to which it falls through. The second call has been harmless so far though because the type passed is always NFT_DATA_VALUE which is currently a no-op. Signed-off-by: Thomas Graf <tgraf@suug.ch> --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+)