From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 22 Aug 2018 09:22:53 +0000 (+0200)
Subject: Fix use-after-free in ipset_parse_name_compat()
X-Git-Tag: v7.0~21
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=623f05ed26bd7b3580954a2b495047ae976d360b;p=thirdparty%2Fipset.git

Fix use-after-free in ipset_parse_name_compat()

When check_setname is used in ipset_parse_name_compat(), the
'str' and 'saved' macro arguments point in fact to the same
buffer. Free the 'saved' argument only after using it.

While at it, remove a useless NULL check on 'saved'.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
---

diff --git a/lib/parse.c b/lib/parse.c
index 9a79ccda..4963d519 100644
--- a/lib/parse.c
+++ b/lib/parse.c
@@ -1396,10 +1396,11 @@ ipset_parse_iptimeout(struct ipset_session *session,
 #define check_setname(str, saved)					\
 do {									\
 	if (strlen(str) > IPSET_MAXNAMELEN - 1) {			\
-		if (saved != NULL)					\
-			free(saved);					\
-		return syntax_err("setname '%s' is longer than %u characters",\
+		int err;						\
+		err = syntax_err("setname '%s' is longer than %u characters",\
 				  str, IPSET_MAXNAMELEN - 1);		\
+		free(saved);						\
+		return err;						\
 	}								\
 } while (0)