[PATCH conntrack-tools] nfct: Fix use-after-free / double-free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Hani Benhabiles <kroosec@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH conntrack-tools] nfct: Fix use-after-free / double-free
Date: Fri, 11 Oct 2013 21:05:34 +0100	[thread overview]
Message-ID: <20131011200534.GD2728@doj> (raw)

helper's list and flush commands handlers shouldn't call mnl_socket_close on the
passed netlink socket as it is done in the main function after parse_params
call.

Signed-off-by: Hani Benhabiles <kroosec@gmail.com>
---
(gdb) run helper list
Starting program: /usr/local/sbin/nfct helper list
*** glibc detected *** /usr/local/sbin/nfct: double free or corruption (fasttop): 0x0000000000606010 ***
[...]
(gdb) bt
#0  0x00007ffff723e425 in __GI_raise (sig=<optimized out>)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff7241b8b in __GI_abort () at abort.c:91
#2  0x00007ffff727c39e in __libc_message (do_abort=2, 
    fmt=0x7ffff7386028 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#3  0x00007ffff7286b96 in malloc_printerr (action=3, 
    str=0x7ffff7386218 "double free or corruption (fasttop)", ptr=<optimized out>) at malloc.c:5018
#4  0x00007ffff7bd5e82 in mnl_socket_close (nl=nl@entry=0x606010) at socket.c:249
#5  0x0000000000401a74 in main (argc=3, argv=0x7fffffffe6d8) at nfct.c:115


diff --git a/src/nfct-extensions/helper.c b/src/nfct-extensions/helper.c
index 7544ed7..bfb153f 100644
--- a/src/nfct-extensions/helper.c
+++ b/src/nfct-extensions/helper.c
@@ -144,8 +144,6 @@ static int nfct_cmd_helper_list(struct mnl_socket *nl, int argc, char *argv[])
 		return -1;
 	}
 
-	mnl_socket_close(nl);
-
 	return 0;
 }
 
@@ -397,8 +395,6 @@ nfct_cmd_helper_flush(struct mnl_socket *nl, int argc, char *argv[])
 		return -1;
 	}
 
-	mnl_socket_close(nl);
-
 	return 0;
 }

next             reply	other threads:[~2013-10-11 20:05 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-11 20:05 Hani Benhabiles [this message]
2013-10-11 20:45 ` [PATCH conntrack-tools] nfct: Fix use-after-free / double-free Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:7544ed7 dfblob:bfb153f )
 OR (
bs:"[PATCH conntrack-tools] nfct: Fix use-after-free / double-free" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20131011200534.GD2728@doj \
    --to=kroosec@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.