All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH nft 1/2] parser_bison: memleak in device parser
@ 2020-02-19 20:08 Pablo Neira Ayuso
  2020-02-19 20:08 ` [PATCH nft 2/2] mnl: do not use expr->identifier to fetch device name Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-19 20:08 UTC (permalink / raw)
  To: netfilter-devel

==1135425== 9 bytes in 1 blocks are definitely lost in loss record 1 of 1
==1135425==    at 0x483577F: malloc (vg_replace_malloc.c:309)
==1135425==    by 0x4BE846A: strdup (strdup.c:42)
==1135425==    by 0x48A5EDD: xstrdup (utils.c:75)
==1135425==    by 0x48C9A20: nft_lex (scanner.l:640)
==1135425==    by 0x48BC1A4: nft_parse (parser_bison.c:5682)
==1135425==    by 0x48AC336: nft_parse_bison_buffer (libnftables.c:375)
==1135425==    by 0x48AC336: nft_run_cmd_from_buffer (libnftables.c:443)
==1135425==    by 0x10A707: main (main.c:384)

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index cc77d0420cb0..ad512cdbb4c2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2141,6 +2141,7 @@ dev_spec		:	DEVICE	string
 				expr = constant_expr_alloc(&@$, &string_type,
 							   BYTEORDER_HOST_ENDIAN,
 							   strlen($2) * BITS_PER_BYTE, $2);
+				xfree($2);
 				$$ = compound_expr_alloc(&@$, EXPR_LIST);
 				compound_expr_add($$, expr);
 
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH nft 2/2] mnl: do not use expr->identifier to fetch device name
  2020-02-19 20:08 [PATCH nft 1/2] parser_bison: memleak in device parser Pablo Neira Ayuso
@ 2020-02-19 20:08 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-19 20:08 UTC (permalink / raw)
  To: netfilter-devel

This string might not be nul-terminated, resulting in spurious errors
when adding netdev chains.

Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain")
Fixes: 92911b362e90 ("src: add support to add flowtables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index 4f42795e0f12..bca5add0f8eb 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -26,6 +26,7 @@
 
 #include <mnl.h>
 #include <string.h>
+#include <net/if.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <fcntl.h>
@@ -609,7 +610,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 {
 	int priority, policy, i = 0;
 	struct nftnl_chain *nlc;
+	unsigned int ifname_len;
 	const char **dev_array;
+	char ifname[IFNAMSIZ];
 	struct nlmsghdr *nlh;
 	struct expr *expr;
 	int dev_array_len;
@@ -635,7 +638,12 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 			dev_array = xmalloc(sizeof(char *) * 8);
 			dev_array_len = 8;
 			list_for_each_entry(expr, &cmd->chain->dev_expr->expressions, list) {
-				dev_array[i++] = expr->identifier;
+				ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
+				memset(ifname, 0, sizeof(ifname));
+				mpz_export_data(ifname, expr->value,
+						BYTEORDER_HOST_ENDIAN,
+						ifname_len);
+				dev_array[i++] = xstrdup(ifname);
 				if (i == dev_array_len) {
 					dev_array_len *= 2;
 					dev_array = xrealloc(dev_array,
@@ -650,6 +658,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 				nftnl_chain_set_data(nlc, NFTNL_CHAIN_DEVICES, dev_array,
 						     sizeof(char *) * dev_array_len);
 
+			i = 0;
+			while (dev_array[i] != NULL)
+				xfree(dev_array[i++]);
+
 			xfree(dev_array);
 		}
 	}
@@ -1565,7 +1577,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 			  unsigned int flags)
 {
 	struct nftnl_flowtable *flo;
+	unsigned int ifname_len;
 	const char **dev_array;
+	char ifname[IFNAMSIZ];
 	struct nlmsghdr *nlh;
 	int i = 0, len = 1;
 	struct expr *expr;
@@ -1586,13 +1600,24 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
 		len++;
 
-	dev_array = calloc(len, sizeof(char *));
-	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
-		dev_array[i++] = expr->identifier;
+	dev_array = xmalloc(sizeof(char *) * len);
+
+	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) {
+		ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
+		memset(ifname, 0, sizeof(ifname));
+		mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN,
+				ifname_len);
+		dev_array[i++] = xstrdup(ifname);
+	}
 
 	dev_array[i] = NULL;
 	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
 				 dev_array, sizeof(char *) * len);
+
+	i = 0;
+	while (dev_array[i] != NULL)
+		xfree(dev_array[i++]);
+
 	free(dev_array);
 
 	netlink_dump_flowtable(flo, ctx);
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-19 20:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-19 20:08 [PATCH nft 1/2] parser_bison: memleak in device parser Pablo Neira Ayuso
2020-02-19 20:08 ` [PATCH nft 2/2] mnl: do not use expr->identifier to fetch device name Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.