evaluate: UAF in hook priority expression

Release priority expression right before assigning the constant
expression that results from the evaluation.

Fixes: 627c451b2351 ("src: allow variables in the chain priority specification")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index a9822ebc85bbdd80c669e27e8d108d0837d1c931..a99b1143734290a6b36e7e9e2b481bdf583babc1 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3707,7 +3707,6 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
        mpz_export_data(prio_str, prio->expr->value, BYTEORDER_HOST_ENDIAN,
                        NFT_NAME_MAXLEN);
        loc = prio->expr->location;
-       expr_free(prio->expr);
 
        if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) {
                priority = std_prio_lookup(prio_str, family, hook);
@@ -3724,6 +3723,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio,
                else
                        return false;
        }
+       expr_free(prio->expr);
        prio->expr = constant_expr_alloc(&loc, &integer_type,
                                         BYTEORDER_HOST_ENDIAN,
                                         sizeof(int) * BITS_PER_BYTE,