From: Phil Sutter <phil@nwl.cc>
Date: Thu, 9 Jan 2020 16:43:11 +0000 (+0100)
Subject: monitor: Fix for use after free when printing map elements
X-Git-Tag: v0.9.4~105
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=02174ffad484d9711678e5d415c32307efc39857;p=thirdparty%2Fnftables.git

monitor: Fix for use after free when printing map elements

When populating the dummy set, 'data' field must be cloned just like
'key' field.

Fixes: 343a51702656a ("src: store expr, not dtype to track data in sets")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/monitor.c b/src/monitor.c
index 84505eb91..53a8bcd46 100644
--- a/src/monitor.c
+++ b/src/monitor.c
@@ -401,7 +401,8 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
 	 */
 	dummyset = set_alloc(monh->loc);
 	dummyset->key = expr_clone(set->key);
-	dummyset->data = set->data;
+	if (set->data)
+		dummyset->data = expr_clone(set->data);
 	dummyset->flags = set->flags;
 	dummyset->init = set_expr_alloc(monh->loc, set);