* [PATCH nft 1/3] parser_bison: memleak symbol redefinition
@ 2020-07-28 18:15 Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
To: netfilter-devel
Missing expr_free() from the error path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/parser_bison.y | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index f0cca64136ee..167c315810ed 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ common_block : INCLUDE QUOTED_STRING stmt_separator
if (symbol_lookup(scope, $2) != NULL) {
erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
state->msgs);
+ expr_free($4);
xfree($2);
YYERROR;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 2/3] evaluate: memleak in invalid default policy definition
2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
@ 2020-07-28 18:15 ` Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
To: netfilter-devel
Release the clone expression from the exit path.
Fixes: 5173151863d3 ("evaluate: replace variable expression by the value expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index e529a7f08e14..536325e83537 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2017,8 +2017,10 @@ static int expr_evaluate_variable(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *new = expr_clone((*exprp)->sym->expr);
- if (expr_evaluate(ctx, &new) < 0)
+ if (expr_evaluate(ctx, &new) < 0) {
+ expr_free(new);
return -1;
+ }
expr_free(*exprp);
*exprp = new;
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 3/3] evaluate: UAF in hook priority expression
2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
@ 2020-07-28 18:15 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
To: netfilter-devel
Release priority expression right before assigning the constant
expression that results from the evaluation.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 536325e83537..7f93621827e6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3707,7 +3707,6 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
mpz_export_data(prio_str, prio->expr->value, BYTEORDER_HOST_ENDIAN,
NFT_NAME_MAXLEN);
loc = prio->expr->location;
- expr_free(prio->expr);
if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) {
priority = std_prio_lookup(prio_str, family, hook);
@@ -3724,6 +3723,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
else
return false;
}
+ expr_free(prio->expr);
prio->expr = constant_expr_alloc(&loc, &integer_type,
BYTEORDER_HOST_ENDIAN,
sizeof(int) * BITS_PER_BYTE,
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 1/3] parser_bison: memleak symbol redefinition
@ 2020-07-28 18:17 Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:17 UTC (permalink / raw)
To: netfilter-devel
Missing expr_free() from the error path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/parser_bison.y | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index f0cca64136ee..167c315810ed 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ common_block : INCLUDE QUOTED_STRING stmt_separator
if (symbol_lookup(scope, $2) != NULL) {
erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
state->msgs);
+ expr_free($4);
xfree($2);
YYERROR;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-28 18:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
2020-07-28 18:17 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.