[Bug 1685] Calling the nftnl_set_free function may trigger the "double free" problem.

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1685

--- Comment #1 from Chen Zhen <vchanger123456 at 163.com> ---
Reproduction code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <linux/netfilter/nf_tables.h>

#include <libnftnl/set.h>

int main(int argc, char *argv[])
{
    struct nftnl_set *a = NULL;
        struct nftnl_expr *ex;
    char buf[4096];
    struct nlmsghdr *nlh;

    a = nftnl_set_alloc();
        ex = nftnl_expr_alloc("meta");
    if (a == NULL || ex == NULL)
        print_err("OOM");

    nftnl_expr_set_u32(ex, NFTNL_EXPR_META_KEY, 0x1234568);
    nftnl_expr_set_u32(ex, NFTNL_EXPR_META_DREG, 0x78123456);

    nftnl_set_set_str(a, NFTNL_SET_TABLE, "test-table");
    nftnl_set_set_str(a, NFTNL_SET_NAME, "test-name");
    nftnl_set_set_u32(a, NFTNL_SET_FLAGS, 0x12345678);
    nftnl_set_set_u32(a, NFTNL_SET_KEY_TYPE, 0x12345678);
    nftnl_set_set_u32(a, NFTNL_SET_KEY_LEN, 0x12345678);
    nftnl_set_set_u32(a, NFTNL_SET_DATA_TYPE, 0x12345678);
    nftnl_set_set_u32(a, NFTNL_SET_DATA_LEN, 0x12345678);
    nftnl_set_set_u32(a, NFTNL_SET_FAMILY, 0x12345678);
    nftnl_set_set_str(a, NFTNL_SET_USERDATA, "testing user data");
    nftnl_set_set(a, NFTNL_SET_EXPR, ex);

    nftnl_set_unset(a, NFTNL_SET_EXPR);
    nftnl_set_free(a);

    printf("ok");
    return 0;
}


Code from:
https://git.netfilter.org/libnftnl/tree/tests/nft-set-test.c
https://git.netfilter.org/libnftnl/tree/tests/nft-expr_meta-test.c

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230531/9d7da748/attachment.html>