From: Phil Sutter <phil@nwl.cc>
Date: Tue, 3 Sep 2024 15:43:19 +0000 (+0200)
Subject: libnftables: Zero ctx->vars after freeing it
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=a51953d97f7bc41b1711dfd62370ee573bde7b9f;p=thirdparty%2Fnftables.git

libnftables: Zero ctx->vars after freeing it

commit d361be1f8734461e27117f6c569acf2189fcf81e upstream.

Leaving the invalid pointer value in place will cause a double-free when
users call nft_ctx_clear_vars() first, then nft_ctx_free(). Moreover,
nft_ctx_add_var() passes the pointer to mrealloc() and thus assumes it
to be either NULL or valid.

Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1772
Fixes: 9edaa6a51eab4 ("src: add --define key=value")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/src/libnftables.c b/src/libnftables.c
index b99dff4a..93f7b339 100644
--- a/src/libnftables.c
+++ b/src/libnftables.c
@@ -153,6 +153,7 @@ void nft_ctx_clear_vars(struct nft_ctx *ctx)
 	}
 	ctx->num_vars = 0;
 	xfree(ctx->vars);
+	ctx->vars = NULL;
 }
 
 EXPORT_SYMBOL(nft_ctx_add_include_path);