* [PATCH nft 1/3] parser_bison: memleak symbol redefinition
@ 2020-07-28 18:17 Pablo Neira Ayuso
2020-07-28 18:17 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
2020-07-28 18:17 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:17 UTC (permalink / raw)
To: netfilter-devel
Missing expr_free() from the error path.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/parser_bison.y | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index f0cca64136ee..167c315810ed 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -862,6 +862,7 @@ common_block : INCLUDE QUOTED_STRING stmt_separator
if (symbol_lookup(scope, $2) != NULL) {
erec_queue(error(&@2, "redefinition of symbol '%s'", $2),
state->msgs);
+ expr_free($4);
xfree($2);
YYERROR;
}
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 2/3] evaluate: memleak in invalid default policy definition
2020-07-28 18:17 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
@ 2020-07-28 18:17 ` Pablo Neira Ayuso
2020-07-28 18:17 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:17 UTC (permalink / raw)
To: netfilter-devel
Release the clone expression from the exit path.
Fixes: 5173151863d3 ("evaluate: replace variable expression by the value expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index e529a7f08e14..536325e83537 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2017,8 +2017,10 @@ static int expr_evaluate_variable(struct eval_ctx *ctx, struct expr **exprp)
{
struct expr *new = expr_clone((*exprp)->sym->expr);
- if (expr_evaluate(ctx, &new) < 0)
+ if (expr_evaluate(ctx, &new) < 0) {
+ expr_free(new);
return -1;
+ }
expr_free(*exprp);
*exprp = new;
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 3/3] evaluate: UAF in hook priority expression
2020-07-28 18:17 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
2020-07-28 18:17 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
@ 2020-07-28 18:17 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:17 UTC (permalink / raw)
To: netfilter-devel
Release priority expression right before assigning the constant
expression that results from the evaluation.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 536325e83537..7f93621827e6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3707,7 +3707,6 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
mpz_export_data(prio_str, prio->expr->value, BYTEORDER_HOST_ENDIAN,
NFT_NAME_MAXLEN);
loc = prio->expr->location;
- expr_free(prio->expr);
if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) {
priority = std_prio_lookup(prio_str, family, hook);
@@ -3724,6 +3723,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
else
return false;
}
+ expr_free(prio->expr);
prio->expr = constant_expr_alloc(&loc, &integer_type,
BYTEORDER_HOST_ENDIAN,
sizeof(int) * BITS_PER_BYTE,
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nft 3/3] evaluate: UAF in hook priority expression
2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
@ 2020-07-28 18:15 ` Pablo Neira Ayuso
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-07-28 18:15 UTC (permalink / raw)
To: netfilter-devel
Release priority expression right before assigning the constant
expression that results from the evaluation.
Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 536325e83537..7f93621827e6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3707,7 +3707,6 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
mpz_export_data(prio_str, prio->expr->value, BYTEORDER_HOST_ENDIAN,
NFT_NAME_MAXLEN);
loc = prio->expr->location;
- expr_free(prio->expr);
if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) {
priority = std_prio_lookup(prio_str, family, hook);
@@ -3724,6 +3723,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
else
return false;
}
+ expr_free(prio->expr);
prio->expr = constant_expr_alloc(&loc, &integer_type,
BYTEORDER_HOST_ENDIAN,
sizeof(int) * BITS_PER_BYTE,
--
2.20.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-07-28 18:17 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-28 18:17 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
2020-07-28 18:17 ` [PATCH nft 2/3] evaluate: memleak in invalid default policy definition Pablo Neira Ayuso
2020-07-28 18:17 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2020-07-28 18:15 [PATCH nft 1/3] parser_bison: memleak symbol redefinition Pablo Neira Ayuso
2020-07-28 18:15 ` [PATCH nft 3/3] evaluate: UAF in hook priority expression Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).