evaluate: UAF in stmt_evaluate_log_prefix()

Release existing list expression including variables after creating the
prefix string.

Fixes: 96c909ef46f0 ("src: allow for variables in the log prefix string")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index f12c88a07fb5712e93cafc4319b0a8352d05ab3b..67eb5d6014fbeb15b95eca4e4bcbce1acac5e5fc 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3291,13 +3291,12 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt)
        if (len == NF_LOG_PREFIXLEN)
                return stmt_error(ctx, stmt, "log prefix is too long");
 
+       expr = constant_expr_alloc(&stmt->log.prefix->location, &string_type,
+                                  BYTEORDER_HOST_ENDIAN,
+                                  strlen(prefix) * BITS_PER_BYTE, prefix);
        expr_free(stmt->log.prefix);
+       stmt->log.prefix = expr;
 
-       stmt->log.prefix =
-               constant_expr_alloc(&stmt->log.prefix->location, &string_type,
-                                   BYTEORDER_HOST_ENDIAN,
-                                   strlen(prefix) * BITS_PER_BYTE,
-                                   prefix);
        return 0;
 }