From patchwork Thu May 22 15:17:16 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 351529 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 4D957140079 for ; Fri, 23 May 2014 01:17:31 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751591AbaEVPRa (ORCPT ); Thu, 22 May 2014 11:17:30 -0400 Received: from mail.us.es ([193.147.175.20]:33368 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751263AbaEVPR3 (ORCPT ); Thu, 22 May 2014 11:17:29 -0400 Received: (qmail 31671 invoked from network); 22 May 2014 17:17:28 +0200 Received: from unknown (HELO us.es) (192.168.2.13) by us.es with SMTP; 22 May 2014 17:17:28 +0200 Received: (qmail 32148 invoked by uid 507); 22 May 2014 15:17:28 -0000 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus3 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.98.3/19017. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-101.2/7.5):. Processed in 4.971759 secs); 22 May 2014 15:17:28 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus3 X-Spam-Level: X-Spam-Status: No, score=-101.2 required=7.5 tests=BAYES_50,SMTPAUTH_US, USER_IN_WHITELIST autolearn=disabled version=3.3.2 X-Spam-ASN: AS12715 87.216.0.0/16 X-Envelope-From: pablo@netfilter.org Received: from unknown (HELO antivirus3) (127.0.0.1) by us.es with SMTP; 22 May 2014 15:17:23 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus3 (F-Secure/fsigk_smtp/412/antivirus3); Thu, 22 May 2014 17:17:23 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/412/antivirus3) Received: (qmail 705 invoked from network); 22 May 2014 17:17:23 +0200 Received: from 186.169.216.87.static.jazztel.es (HELO localhost.localdomain) (pneira@us.es@87.216.169.186) by mail.us.es with SMTP; 22 May 2014 17:17:23 +0200 From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: kaber@trash.net, arturo.borrero.glez@gmail.com Subject: [PATCH nft 1/2] netlink_delinearize: fix double free in relational_binop_postprocess() Date: Thu, 22 May 2014 17:17:16 +0200 Message-Id: <1400771837-7670-1-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org free(expr->right) and free(value) point to the same object, so one single free() is enough. This manifests in valgrind with: ==4020== Invalid read of size 4 ==4020== at 0x40A429: expr_free (expression.c:65) ==4020== by 0x414032: expr_postprocess (netlink_delinearize.c:747) ==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883) ==4020== by 0x411305: netlink_events_cb (netlink.c:1692) ==4020== by 0x55040AD: mnl_cb_run (callback.c:77) ==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45) ==4020== by 0x407B44: do_command (rule.c:895) ==4020== by 0x405C6C: nft_run (main.c:183) ==4020== by 0x405849: main (main.c:334) ==4020== Address 0x5d126f8 is 56 bytes inside a block of size 120 free'd ==4020== at 0x4C2AF5C: free (vg_replace_malloc.c:446) ==4020== by 0x41402A: expr_postprocess (netlink_delinearize.c:746) ==4020== by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883) ==4020== by 0x411305: netlink_events_cb (netlink.c:1692) ==4020== by 0x55040AD: mnl_cb_run (callback.c:77) ==4020== by 0x4171E4: nft_mnl_recv (mnl.c:45) ==4020== by 0x407B44: do_command (rule.c:895) ==4020== by 0x405C6C: nft_run (main.c:183) ==4020== by 0x405849: main (main.c:334) ==4020== Signed-off-by: Pablo Neira Ayuso --- src/netlink_delinearize.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 62cbf0e..479c643 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -743,7 +743,6 @@ static void relational_binop_postprocess(struct expr *expr) * Split the flags into a list of flag values and convert the * op to OP_FLAGCMP. */ - expr_free(expr->right); expr_free(value); expr->left = expr_get(binop->left);