<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_NEW "
title="NEW - Calling the nftnl_set_free function may trigger the "double free" problem."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1685#c6">Comment # 6</a>
on <a class="bz_bug_link
bz_status_NEW "
title="NEW - Calling the nftnl_set_free function may trigger the "double free" problem."
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1685">bug 1685</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>(In reply to Chen Zhen from <a href="show_bug.cgi?id=1685#c5">comment #5</a>)
<span class="quote">> Is there a problem with this patch? I have verified it by the reproduction
> code above.
>
>
> From 325df1f49bb273177a9f47f60ea9baa4f3f3197d Mon Sep 17 00:00:00 2001
> From: sxt1001 <<a href="mailto:sxt1001@qq.com">sxt1001@qq.com</a>>
> Date: Wed, 31 May 2023 21:01:47 +0800
> Subject: [PATCH] Fix double free
>
> ---
> src/set.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/src/set.c b/src/set.c
> index c46f827..738cc24 100644
> --- a/src/set.c
> +++ b/src/set.c
> @@ -54,8 +54,11 @@ void nftnl_set_free(const struct nftnl_set *s)
> if (s->flags & (1 << NFTNL_SET_USERDATA))
> xfree(s->user.data);
>
> - list_for_each_entry_safe(expr, next, &s->expr_list, head)
> - nftnl_expr_free(expr);
> + if (s->flags & (1 << NFTNL_SET_EXPR))
> + {
> + list_for_each_entry_safe(expr, next, &s->expr_list, head)
> + nftnl_expr_free(expr);
> + }</span >
There are more places where elements are freed but not removed from list. It is
safer to not leave the list in such state but instead make sure things stay
consistent. See the code dealing with element_list which does it.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>