libnftables: Zero ctx->vars after freeing it

commit d361be1f8734461e27117f6c569acf2189fcf81e upstream.

Leaving the invalid pointer value in place will cause a double-free when
users call nft_ctx_clear_vars() first, then nft_ctx_free(). Moreover,
nft_ctx_add_var() passes the pointer to mrealloc() and thus assumes it
to be either NULL or valid.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1772
Fixes: 9edaa6a51eab4 ("src: add --define key=value")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/src/libnftables.c b/src/libnftables.c
index b99dff4a576a6f06b64b4a49fa561d3b1ee19403..93f7b3395b793b5138ac7d428c273804036d191f 100644 (file)
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -153,6 +153,7 @@ void nft_ctx_clear_vars(struct nft_ctx *ctx)
        }
        ctx->num_vars = 0;
        xfree(ctx->vars);
+       ctx->vars = NULL;
 }
 
 EXPORT_SYMBOL(nft_ctx_add_include_path);