[Bug 1685] Calling the nftnl_set_free function may trigger the "double free" problem.
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed May 31 17:07:49 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1685
--- Comment #6 from Phil Sutter <phil at nwl.cc> ---
(In reply to Chen Zhen from comment #5)
> Is there a problem with this patch? I have verified it by the reproduction
> code above.
>
>
> From 325df1f49bb273177a9f47f60ea9baa4f3f3197d Mon Sep 17 00:00:00 2001
> From: sxt1001 <sxt1001 at qq.com>
> Date: Wed, 31 May 2023 21:01:47 +0800
> Subject: [PATCH] Fix double free
>
> ---
> src/set.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/src/set.c b/src/set.c
> index c46f827..738cc24 100644
> --- a/src/set.c
> +++ b/src/set.c
> @@ -54,8 +54,11 @@ void nftnl_set_free(const struct nftnl_set *s)
> if (s->flags & (1 << NFTNL_SET_USERDATA))
> xfree(s->user.data);
>
> - list_for_each_entry_safe(expr, next, &s->expr_list, head)
> - nftnl_expr_free(expr);
> + if (s->flags & (1 << NFTNL_SET_EXPR))
> + {
> + list_for_each_entry_safe(expr, next, &s->expr_list, head)
> + nftnl_expr_free(expr);
> + }
There are more places where elements are freed but not removed from list. It is
safer to not leave the list in such state but instead make sure things stay
consistent. See the code dealing with element_list which does it.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20230531/88c49a28/attachment.html>
More information about the netfilter-buglog
mailing list