From patchwork Sat Mar 11 04:20:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Liping Zhang X-Patchwork-Id: 737638 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3vg9tn4mKFz9s7N for ; Sat, 11 Mar 2017 15:21:37 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=163.com header.i=@163.com header.b="kgMhaE/o"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755399AbdCKEVf (ORCPT ); Fri, 10 Mar 2017 23:21:35 -0500 Received: from m12-14.163.com ([220.181.12.14]:46675 "EHLO m12-14.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755175AbdCKEVf (ORCPT ); Fri, 10 Mar 2017 23:21:35 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=AQ98fHYAp8Ix9AqfTF xUrRvwE8jSwvGHtqa5abWVMHY=; b=kgMhaE/oh880GZ2aQ8Q43IRA88Hu3/RG86 HwHhGjCW8gYkO5WFdE4/4us73dIF8WYIJqPX4X7kZ2jVL8NoqjkmlT6spzCekYyG N8UCQU2EDj1+ikFvsLmWBBLE0cMMtv4XOHDCEEYG0ydcP0FpvAeo5wUV+oBXMah3 gMIHOzyG0= Received: from MiWiFi-R2D-srv.localdomain (unknown [180.164.168.96]) by smtp10 (Coremail) with SMTP id DsCowABnm5kNe8NYfxzpLA--.3685S2; Sat, 11 Mar 2017 12:20:37 +0800 (CST) From: Liping Zhang To: pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org, Liping Zhang Subject: [PATCH nft] src: fix crash when inputting an incomplete set add command Date: Sat, 11 Mar 2017 12:20:11 +0800 Message-Id: <1489206011-43843-1-git-send-email-zlpnobody@163.com> X-Mailer: git-send-email 2.5.5 X-CM-TRANSID: DsCowABnm5kNe8NYfxzpLA--.3685S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7AFy3CF1rtFW3tF4rKr1xKrg_yoW8Cr43pa 48J3WxGrZYqrZFqr4vqF1UuF1FgFZ5uF1YkF95Wr1xtF43Jr95Jw4ay348u3y3A34UuFWa vr1UGF12gwn8Jw7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jcMa8UUUUU= X-Originating-IP: [180.164.168.96] X-CM-SenderInfo: x2os00perg5qqrwthudrp/xtbBURWXl1aDtQcO-gAAsT Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Liping Zhang After inputting the following nft command, set->keytype is not initialized but we try to destroy it, so NULL pointer dereference will happen: # nft add set t s Segmentation fault (core dumped) #0 dtype_free (dtype=0x0) at datatype.c:1049 #1 set_datatype_destroy (dtype=0x0) at datatype.c:1051 #2 0x0000000000407f1a in set_free (set=0x838790) at rule.c:213 #3 0x000000000042ff70 in nft_parse (scanner=scanner@entry=0x8386a0, state=state@entry=0x7ffc313ea670) at parser_bison.c:9355 #4 0x000000000040727d in nft_run (scanner=scanner@entry=0x8386a0, state=state@entry=0x7ffc313ea670, msgs=msgs@entry=0x7ffc313ea660) at main.c:237 #5 0x0000000000406e4a in main (argc=, argv=) at main.c:376 Fixes: b9b6092304ae ("evaluate: store byteorder for set keys") Signed-off-by: Liping Zhang --- src/datatype.c | 2 +- src/rule.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/datatype.c b/src/datatype.c index c61c424..06a045b 100644 --- a/src/datatype.c +++ b/src/datatype.c @@ -1047,7 +1047,7 @@ const struct datatype *set_datatype_alloc(const struct datatype *orig_dtype, void set_datatype_destroy(const struct datatype *dtype) { - if (dtype->flags & DTYPE_F_CLONE) + if (dtype && dtype->flags & DTYPE_F_CLONE) dtype_free(dtype); } diff --git a/src/rule.c b/src/rule.c index f5ff110..056d5ce 100644 --- a/src/rule.c +++ b/src/rule.c @@ -211,8 +211,7 @@ void set_free(struct set *set) expr_free(set->init); handle_free(&set->handle); set_datatype_destroy(set->keytype); - if (set->datatype) - set_datatype_destroy(set->datatype); + set_datatype_destroy(set->datatype); xfree(set); }