Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH nft 1/3] parser_bison: memleak symbol redefinition
@ 2020-07-28 18:15 Pablo Neira Ayuso
  2020-07-28 18:15 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
  2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
  0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
  To: netfilter-devel

Missing expr_free() from the error path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index f0cca64136ee..167c315810ed 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
 				if (symbol_lookup(scope, $2) != NULL) {
 					erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
 						   state->msgs);
+					expr_free($4);
 					xfree($2);
 					YYERROR;
 				}
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH nft 2/3] evaluate: memleak in invalid default policy definition
  2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
@ 2020-07-28 18:15 ` Pablo Neira Ayuso
  2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
  To: netfilter-devel

Release the clone expression from the exit path.

Fixes: 5173151863d3 ("evaluate: replace variable expression by the value expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index e529a7f08e14..536325e83537 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2017,8 +2017,10 @@ static int expr_evaluate_variable(struct eval_ctx *ctx, struct expr **exprp)
 {
 	struct expr *new = expr_clone((*exprp)->sym->expr);
 
-	if (expr_evaluate(ctx, &new) < 0)
+	if (expr_evaluate(ctx, &new) < 0) {
+		expr_free(new);
 		return -1;
+	}
 
 	expr_free(*exprp);
 	*exprp = new;
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH nft 3/3] evaluate: UAF in hook priority expression
  2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
  2020-07-28 18:15 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
@ 2020-07-28 18:15 ` Pablo Neira Ayuso
  1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
  To: netfilter-devel

Release priority expression right before assigning the constant
expression that results from the evaluation.

Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 536325e83537..7f93621827e6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3707,7 +3707,6 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
 	mpz_export_data(prio_str, prio->expr->value, BYTEORDER_HOST_ENDIAN,
 			NFT_NAME_MAXLEN);
 	loc = prio->expr->location;
-	expr_free(prio->expr);
 
 	if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) {
 		priority = std_prio_lookup(prio_str, family, hook);
@@ -3724,6 +3723,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
 		else
 			return false;
 	}
+	expr_free(prio->expr);
 	prio->expr = constant_expr_alloc(&loc, &integer_type,
 					 BYTEORDER_HOST_ENDIAN,
 					 sizeof(int) * BITS_PER_BYTE,
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH nft 1/3] parser_bison: memleak symbol redefinition
@ 2020-07-28 18:17 Pablo Neira Ayuso
  0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:17 UTC (permalink / raw)
  To: netfilter-devel

Missing expr_free() from the error path.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/parser_bison.y | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/parser_bison.y b/src/parser_bison.y
index f0cca64136ee..167c315810ed 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ common_block		:	INCLUDE		QUOTED_STRING	stmt_separator
 				if (symbol_lookup(scope, $2) != NULL) {
 					erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
 						   state->msgs);
+					expr_free($4);
 					xfree($2);
 					YYERROR;
 				}
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
2020-07-28 18:17 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org
	public-inbox-index netfilter-devel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git