netfilter: nf_tables: fix double-free on set expression from the error path

After copying the expression to the set element extension, release the expression and reset the pointer to avoid a double-free from the error path. Fixes: 40944452 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nf_tables: fix double-free on set expression from the error path
After copying the expression to the set element extension, release the expression and reset the pointer to avoid a double-free from the error path. Fixes: 40944452 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
772f4e82 · Pablo Neira Ayuso · 65038428 · 772f4e82
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

net/netfilter/nf_tables_api.c net/netfilter/nf_tables_api.c +1 -0

未找到文件。
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5133,6 +5133,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (expr) {
 		memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
 		kfree(expr);
+		expr = NULL;
 	}

 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);