[PATCH nft] evaluate: use-after-free in meter

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH nft] evaluate: use-after-free in meter
@ 2019-06-13 22:58 Pablo Neira Ayuso
  0 siblings, 0 replies; only message in thread
From: Pablo Neira Ayuso @ 2019-06-13 22:58 UTC (permalink / raw)
  To: netfilter-devel

Similar to bbe139fdf5a5 ("evaluate: use-after-free in implicit set").

==12727== Invalid read of size 4
==12727==    at 0x72DB515: expr_free (expression.c:86)
==12727==    by 0x72D3092: set_free (rule.c:367)
==12727==    by 0x72DB555: expr_destroy (expression.c:79)
==12727==    by 0x72DB555: expr_free (expression.c:95)
==12727==    by 0x72D7A35: meter_stmt_destroy (statement.c:137)
==12727==    by 0x72D7A07: stmt_free (statement.c:50)
==12727==    by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727==    by 0x72D32EF: rule_free (rule.c:610)
==12727==    by 0x72D3834: chain_free (rule.c:827)
==12727==    by 0x72D45D4: table_free (rule.c:1184)
==12727==    by 0x72D46A7: __cache_flush (rule.c:293)
==12727==    by 0x72D472C: cache_release (rule.c:313)
==12727==    by 0x72D4A79: cache_update (rule.c:264)
==12727==  Address 0x64f14c8 is 56 bytes inside a block of size 128 free'd
==12727==    at 0x4C2CDDB: free (vg_replace_malloc.c:530)
==12727==    by 0x72D7A2C: meter_stmt_destroy (statement.c:136)
==12727==    by 0x72D7A07: stmt_free (statement.c:50)
==12727==    by 0x72D7AD7: stmt_list_free (statement.c:60)
==12727==    by 0x72D32EF: rule_free (rule.c:610)
==12727==    by 0x72D3834: chain_free (rule.c:827)
==12727==    by 0x72D45D4: table_free (rule.c:1184)
==12727==    by 0x72D46A7: __cache_flush (rule.c:293)
==12727==    by 0x72D472C: cache_release (rule.c:313)
==12727==    by 0x72D4A79: cache_update (rule.c:264)
==12727==    by 0x72F82CE: nft_evaluate (libnftables.c:388)
==12727==    by 0x72F8A8B: nft_run_cmd_from_buffer (libnftables.c:428)

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/evaluate.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 4a06c7e8f673..a41a28e97288 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2114,7 +2114,8 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt)
 	if (key->timeout)
 		set->set_flags |= NFT_SET_TIMEOUT;
 
-	setref = implicit_set_declaration(ctx, stmt->meter.name, key, set);
+	setref = implicit_set_declaration(ctx, stmt->meter.name,
+					  expr_get(key), set);
 
 	setref->set->desc.size = stmt->meter.size;
 	stmt->meter.set = setref;
-- 
2.11.0


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2019-06-13 22:58 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-06-13 22:58 [PATCH nft] evaluate: use-after-free in meter Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).