From: Carlos Falgueras García <carlosfg@riseup.net>
Date: Tue, 17 May 2016 16:00:15 +0000 (+0200)
Subject: rule: Fix segfault due to invalid free of rule user data
X-Git-Tag: libnftnl-1.0.6~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0edd209705bc4cf9d2a9e17084310c02d81f4d64;p=thirdparty%2Flibnftnl.git

rule: Fix segfault due to invalid free of rule user data

If the user allocates a nftnl_udata_buf and then passes the TLV data to
nftnl_rule_set_data, the pointer stored in rule.user.data is not the
begining of the allocated block. In this situation, if it calls to
nftnl_rule_free, it tries to free this pointer and segfault is thrown.

Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/rule.c b/src/rule.c
index c299548c..8ee8648a 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -167,7 +167,11 @@ void nftnl_rule_set_data(struct nftnl_rule *r, uint16_t attr,
 		if (r->user.data != NULL)
 			xfree(r->user.data);
 
-		r->user.data = (void *)data;
+		r->user.data = malloc(data_len);
+		if (!r->user.data)
+			return;
+
+		memcpy(r->user.data, data, data_len);
 		r->user.len = data_len;
 		break;
 	}