netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nft 1/2] parser_bison: memleak in device parser
@ 2020-02-19 20:08 Pablo Neira Ayuso
  2020-02-19 20:08 ` [PATCH nft 2/2] mnl: do not use expr->identifier to fetch device name Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-19 20:08 UTC (permalink / raw)
  To: netfilter-devel

==1135425== 9 bytes in 1 blocks are definitely lost in loss record 1 of 1
==1135425==    at 0x483577F: malloc (vg_replace_malloc.c:309)
==1135425==    by 0x4BE846A: strdup (strdup.c:42)
==1135425==    by 0x48A5EDD: xstrdup (utils.c:75)
==1135425==    by 0x48C9A20: nft_lex (scanner.l:640)
==1135425==    by 0x48BC1A4: nft_parse (parser_bison.c:5682)
==1135425==    by 0x48AC336: nft_parse_bison_buffer (libnftables.c:375)
==1135425==    by 0x48AC336: nft_run_cmd_from_buffer (libnftables.c:443)
==1135425==    by 0x10A707: main (main.c:384)

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index cc77d0420cb0..ad512cdbb4c2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2141,6 +2141,7 @@ dev_spec		:	DEVICE	string
 				expr = constant_expr_alloc(&@$, &string_type,
 							   BYTEORDER_HOST_ENDIAN,
 							   strlen($2) * BITS_PER_BYTE, $2);
+				xfree($2);
 				$$ = compound_expr_alloc(&@$, EXPR_LIST);
 				compound_expr_add($$, expr);
 
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [PATCH nft 2/2] mnl: do not use expr->identifier to fetch device name
  2020-02-19 20:08 [PATCH nft 1/2] parser_bison: memleak in device parser Pablo Neira Ayuso
@ 2020-02-19 20:08 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-19 20:08 UTC (permalink / raw)
  To: netfilter-devel

This string might not be nul-terminated, resulting in spurious errors
when adding netdev chains.

Fixes: 3fdc7541fba0 ("src: add multidevice support for netdev chain")
Fixes: 92911b362e90 ("src: add support to add flowtables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/mnl.c | 33 +++++++++++++++++++++++++++++----
 1 file changed, 29 insertions(+), 4 deletions(-)

diff --git a/src/mnl.c b/src/mnl.c
index 4f42795e0f12..bca5add0f8eb 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -26,6 +26,7 @@
 
 #include <mnl.h>
 #include <string.h>
+#include <net/if.h>
 #include <sys/socket.h>
 #include <arpa/inet.h>
 #include <fcntl.h>
@@ -609,7 +610,9 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 {
 	int priority, policy, i = 0;
 	struct nftnl_chain *nlc;
+	unsigned int ifname_len;
 	const char **dev_array;
+	char ifname[IFNAMSIZ];
 	struct nlmsghdr *nlh;
 	struct expr *expr;
 	int dev_array_len;
@@ -635,7 +638,12 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 			dev_array = xmalloc(sizeof(char *) * 8);
 			dev_array_len = 8;
 			list_for_each_entry(expr, &cmd->chain->dev_expr->expressions, list) {
-				dev_array[i++] = expr->identifier;
+				ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
+				memset(ifname, 0, sizeof(ifname));
+				mpz_export_data(ifname, expr->value,
+						BYTEORDER_HOST_ENDIAN,
+						ifname_len);
+				dev_array[i++] = xstrdup(ifname);
 				if (i == dev_array_len) {
 					dev_array_len *= 2;
 					dev_array = xrealloc(dev_array,
@@ -650,6 +658,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
 				nftnl_chain_set_data(nlc, NFTNL_CHAIN_DEVICES, dev_array,
 						     sizeof(char *) * dev_array_len);
 
+			i = 0;
+			while (dev_array[i] != NULL)
+				xfree(dev_array[i++]);
+
 			xfree(dev_array);
 		}
 	}
@@ -1565,7 +1577,9 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 			  unsigned int flags)
 {
 	struct nftnl_flowtable *flo;
+	unsigned int ifname_len;
 	const char **dev_array;
+	char ifname[IFNAMSIZ];
 	struct nlmsghdr *nlh;
 	int i = 0, len = 1;
 	struct expr *expr;
@@ -1586,13 +1600,24 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
 		len++;
 
-	dev_array = calloc(len, sizeof(char *));
-	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list)
-		dev_array[i++] = expr->identifier;
+	dev_array = xmalloc(sizeof(char *) * len);
+
+	list_for_each_entry(expr, &cmd->flowtable->dev_expr->expressions, list) {
+		ifname_len = div_round_up(expr->len, BITS_PER_BYTE);
+		memset(ifname, 0, sizeof(ifname));
+		mpz_export_data(ifname, expr->value, BYTEORDER_HOST_ENDIAN,
+				ifname_len);
+		dev_array[i++] = xstrdup(ifname);
+	}
 
 	dev_array[i] = NULL;
 	nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
 				 dev_array, sizeof(char *) * len);
+
+	i = 0;
+	while (dev_array[i] != NULL)
+		xfree(dev_array[i++]);
+
 	free(dev_array);
 
 	netlink_dump_flowtable(flo, ctx);
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-02-19 20:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-19 20:08 [PATCH nft 1/2] parser_bison: memleak in device parser Pablo Neira Ayuso
2020-02-19 20:08 ` [PATCH nft 2/2] mnl: do not use expr->identifier to fetch device name Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).