[PATCH] nftables: Avoid duplicate call to nft_data_uninit() for same key

[PATCH] nftables: Avoid duplicate call to nft_data_uninit() for same key

[Thomas Graf]

nft_del_setelem() currently calls nft_data_uninit() twice on the same
key. Once to release the key which is guaranteed to be NFT_DATA_VALUE
and a second time in the error path to which it falls through.

The second call has been harmless so far though because the type
passed is always NFT_DATA_VALUE which is currently a no-op.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
---
 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 8746ff9..b35ba83 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3218,6 +3218,7 @@ static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set,
 	if (set->flags & NFT_SET_MAP)
 		nft_data_uninit(&elem.data, set->dtype);
 
+	return 0;
 err2:
 	nft_data_uninit(&elem.key, desc.type);
 err1:
-- 
1.9.3

Re: [PATCH] nftables: Avoid duplicate call to nft_data_uninit() for same key

[Pablo Neira Ayuso]

On Fri, Aug 01, 2014 at 05:25:38PM +0200, Thomas Graf wrote:
> nft_del_setelem() currently calls nft_data_uninit() twice on the same
> key. Once to release the key which is guaranteed to be NFT_DATA_VALUE
> and a second time in the error path to which it falls through.
> 
> The second call has been harmless so far though because the type
> passed is always NFT_DATA_VALUE which is currently a no-op.

Applied, thanks Thomas.

BTW, this bug seems to be there since the very beginning:
http://lxr.free-electrons.com/source/net/netfilter/nf_tables_api.c?v=3.13#L2735