netlink_delinearize: fix double free in relational_binop_postprocess()

free(expr->right) and free(value) point to the same object, so one
single free() is enough.

This manifests in valgrind with:

==4020== Invalid read of size 4
==4020==    at 0x40A429: expr_free (expression.c:65)
==4020==    by 0x414032: expr_postprocess (netlink_delinearize.c:747)
==4020==    by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020==    by 0x411305: netlink_events_cb (netlink.c:1692)
==4020==    by 0x55040AD: mnl_cb_run (callback.c:77)
==4020==    by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020==    by 0x407B44: do_command (rule.c:895)
==4020==    by 0x405C6C: nft_run (main.c:183)
==4020==    by 0x405849: main (main.c:334)
==4020==  Address 0x5d126f8 is 56 bytes inside a block of size 120 free'd
==4020==    at 0x4C2AF5C: free (vg_replace_malloc.c:446)
==4020==    by 0x41402A: expr_postprocess (netlink_delinearize.c:746)
==4020==    by 0x414C33: netlink_delinearize_rule (netlink_delinearize.c:883)
==4020==    by 0x411305: netlink_events_cb (netlink.c:1692)
==4020==    by 0x55040AD: mnl_cb_run (callback.c:77)
==4020==    by 0x4171E4: nft_mnl_recv (mnl.c:45)
==4020==    by 0x407B44: do_command (rule.c:895)
==4020==    by 0x405C6C: nft_run (main.c:183)
==4020==    by 0x405849: main (main.c:334)
==4020==

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index 62cbf0e4461eec2e4cb0ac7c71995639ecc09f54..479c6439b726edf07cb3761dd26b7a775c4348f1 100644 (file)
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -743,7 +743,6 @@ static void relational_binop_postprocess(struct expr *expr)
                 * Split the flags into a list of flag values and convert the
                 * op to OP_FLAGCMP.
                 */
-               expr_free(expr->right);
                expr_free(value);
 
                expr->left  = expr_get(binop->left);