From patchwork Fri Oct 11 20:05:34 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hani Benhabiles X-Patchwork-Id: 282926 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 953182C016E for ; Sat, 12 Oct 2013 07:05:52 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759264Ab3JKUFl (ORCPT ); Fri, 11 Oct 2013 16:05:41 -0400 Received: from mail-ea0-f177.google.com ([209.85.215.177]:53697 "EHLO mail-ea0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1759461Ab3JKUFk (ORCPT ); Fri, 11 Oct 2013 16:05:40 -0400 Received: by mail-ea0-f177.google.com with SMTP id f15so2093864eak.22 for ; Fri, 11 Oct 2013 13:05:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=50wG/jc4/yIhuX5K4XgUiALQe5NU5GXlcT1vIz5yy+A=; b=EMfcO60Qso6I25wGenBP81MwaWOT7ZMHAxQivftpOGAtWQPV3ezEtpCDuvac29PgwJ UKS+nkBAX+xsCHhpJ4qU1y48LEqo2pe8EhLoIObPrfHscyF9YvzbWZ9YEpDQjEwLTC2k V3S/+hewSvP/SclQaK1j8Pa2gWBa2UnYjVYp4SvdQ8yC47M21EJQ2G8lIBF/QGe96O5l YWpSxBOsR80X6Yo5iPU4mKoQ6z72KdMi0yCA1lKa4xFLv4vEnRuK/JkzE6klD0zsPU7r mqMdT+6ip5i0fwBlnNrEjbRCNWqckBhkRiFc7oN90AtHLH9vv0ZhdloAHnHVmjhFZb98 SMlA== X-Received: by 10.14.199.200 with SMTP id x48mr5426668een.65.1381521938647; Fri, 11 Oct 2013 13:05:38 -0700 (PDT) Received: from doj ([41.103.87.223]) by mx.google.com with ESMTPSA id b45sm118478997eef.4.1969.12.31.16.00.00 (version=TLSv1.2 cipher=RC4-SHA bits=128/128); Fri, 11 Oct 2013 13:05:37 -0700 (PDT) Date: Fri, 11 Oct 2013 21:05:34 +0100 From: Hani Benhabiles To: netfilter-devel@vger.kernel.org Subject: [PATCH conntrack-tools] nfct: Fix use-after-free / double-free Message-ID: <20131011200534.GD2728@doj> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org helper's list and flush commands handlers shouldn't call mnl_socket_close on the passed netlink socket as it is done in the main function after parse_params call. Signed-off-by: Hani Benhabiles --- (gdb) run helper list Starting program: /usr/local/sbin/nfct helper list *** glibc detected *** /usr/local/sbin/nfct: double free or corruption (fasttop): 0x0000000000606010 *** [...] (gdb) bt #0 0x00007ffff723e425 in __GI_raise (sig=) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007ffff7241b8b in __GI_abort () at abort.c:91 #2 0x00007ffff727c39e in __libc_message (do_abort=2, fmt=0x7ffff7386028 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201 #3 0x00007ffff7286b96 in malloc_printerr (action=3, str=0x7ffff7386218 "double free or corruption (fasttop)", ptr=) at malloc.c:5018 #4 0x00007ffff7bd5e82 in mnl_socket_close (nl=nl@entry=0x606010) at socket.c:249 #5 0x0000000000401a74 in main (argc=3, argv=0x7fffffffe6d8) at nfct.c:115 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c index 7544ed7..bfb153f 100644 --- a/src/nfct-extensions/helper.c +++ b/src/nfct-extensions/helper.c @@ -144,8 +144,6 @@ static int nfct_cmd_helper_list(struct mnl_socket *nl, int argc, char *argv[]) return -1; } - mnl_socket_close(nl); - return 0; } @@ -397,8 +395,6 @@ nfct_cmd_helper_flush(struct mnl_socket *nl, int argc, char *argv[]) return -1; } - mnl_socket_close(nl); - return 0; }