flowtable: Fix use after free in two spots

When freeing flowtable devices array, the loop freeing each device
string incorrectly included the call to free the device array itself.

Fixes: eb58f53372e74 ("src: add flowtable support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/flowtable.c b/src/flowtable.c
index caf3c13841f583bb52b93c3e60203fdb0e55c944..14cb12f7f2a1903c794dd0621d3b85d5f0b79134 100644 (file)
--- a/src/flowtable.c
+++ b/src/flowtable.c
@@ -85,10 +85,9 @@ void nftnl_flowtable_unset(struct nftnl_flowtable *c, uint16_t attr)
        case NFTNL_FLOWTABLE_FLAGS:
                break;
        case NFTNL_FLOWTABLE_DEVICES:
-               for (i = 0; i < c->dev_array_len; i++) {
+               for (i = 0; i < c->dev_array_len; i++)
                        xfree(c->dev_array[i]);
-                       xfree(c->dev_array);
-               }
+               xfree(c->dev_array);
                break;
        default:
                return;
@@ -146,10 +145,9 @@ int nftnl_flowtable_set_data(struct nftnl_flowtable *c, uint16_t attr,
                        len++;
 
                if (c->flags & (1 << NFTNL_FLOWTABLE_DEVICES)) {
-                       for (i = 0; i < c->dev_array_len; i++) {
+                       for (i = 0; i < c->dev_array_len; i++)
                                xfree(c->dev_array[i]);
-                               xfree(c->dev_array);
-                       }
+                       xfree(c->dev_array);
                }
 
                c->dev_array = calloc(len + 1, sizeof(char *));