netfilter: nf_tables: fix double-free on set expression from the error path

After copying the expression to the set element extension, release the expression and reset the pointer to avoid a double-free from the error path. Fixes: 409444522976 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2020-03-18 03:14:58 +0300
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2020-03-19 13:37:31 +0300
commit: 772f4e82b3ffa1eb7412cd531f718a96a0e5474b (patch)
tree: 02f124a9b7488b8365888fac325b09abff16cf7f /net/netfilter
parent: 65038428b2c6c5be79d3f78a6b79c0cdc3a58a41 (diff)
download: linux-772f4e82b3ffa1eb7412cd531f718a96a0e5474b.tar.xz
1 files changed, 1 insertions, 0 deletions
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f1910cd795fd..29ad33e52dbb 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5133,6 +5133,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (expr) {
 		memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
 		kfree(expr);
+		expr = NULL;
 	}
 
 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2020-03-18 03:14:58 +0300
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2020-03-19 13:37:31 +0300
commit	772f4e82b3ffa1eb7412cd531f718a96a0e5474b (patch)
tree	02f124a9b7488b8365888fac325b09abff16cf7f /net/netfilter
parent	65038428b2c6c5be79d3f78a6b79c0cdc3a58a41 (diff)
download	linux-772f4e82b3ffa1eb7412cd531f718a96a0e5474b.tar.xz