[Bug 1685] Calling the nftnl_set_free function may trigger the "double free" problem.

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1685

--- Comment #5 from Chen Zhen <vchanger123456 at 163.com> ---
Is there a problem with this patch? I have verified it by the reproduction code
above.


>From 325df1f49bb273177a9f47f60ea9baa4f3f3197d Mon Sep 17 00:00:00 2001
From: sxt1001 <sxt1001 at qq.com>
Date: Wed, 31 May 2023 21:01:47 +0800
Subject: [PATCH] Fix double free

---
 src/set.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/set.c b/src/set.c
index c46f827..738cc24 100644
--- a/src/set.c
+++ b/src/set.c
@@ -54,8 +54,11 @@ void nftnl_set_free(const struct nftnl_set *s)
        if (s->flags & (1 << NFTNL_SET_USERDATA))
                xfree(s->user.data);

-       list_for_each_entry_safe(expr, next, &s->expr_list, head)
-               nftnl_expr_free(expr);
+       if (s->flags & (1 << NFTNL_SET_EXPR))
+       {
+               list_for_each_entry_safe(expr, next, &s->expr_list, head)
+                       nftnl_expr_free(expr);
+       }

        list_for_each_entry_safe(elem, tmp, &s->element_list, head) {
                list_del(&elem->head);
--
2.33.0

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230531/95d58288/attachment.html>