From: Florian Westphal <fw@strlen.de>
Date: Tue, 7 Jan 2025 22:55:06 +0000 (+0100)
Subject: parser_bison: fix UaF when reporting table parse error
X-Git-Tag: v1.1.2~105
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3ba0e5af6b5da9dfff5273bc1f0f15a60a9fe33b;p=thirdparty%2Fnftables.git

parser_bison: fix UaF when reporting table parse error

It passed already-freed memory to erec function.  Found with afl++ and asan.

Fixes: 4955ae1a81b7 ("Add support for table's persist flag")
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/parser_bison.y b/src/parser_bison.y
index e107ddfd..31ccc5e2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1940,12 +1940,14 @@ table_flags		:	table_flag
 table_flag		:	STRING
 			{
 				$$ = parse_table_flag($1);
-				free_const($1);
 				if ($$ == 0) {
 					erec_queue(error(&@1, "unknown table option %s", $1),
 						   state->msgs);
+					free_const($1);
 					YYERROR;
 				}
+
+				free_const($1);
 			}
 			;