From 974e090330d64d68db7315a27b761a3d8439245e Mon Sep 17 00:00:00 2001 From: "Sebastian Walz (sivizius)" Date: Mon, 19 Aug 2024 19:58:14 +0200 Subject: [PATCH] parser_json: release buffer returned by json_dumps commit 46700fbdbbbaab0d7db716fce3a438334c58ac9e upstream. The signature of `json_dumps` is: `char *json_dumps(const json_t *json, size_t flags)`: It will return a pointer to an owned string, the caller must free it. However, `json_error` just borrows the string to format it as `%s`, but after printing the formatted error message, the pointer to the string is lost and thus never freed. Fixes: 586ad210368b ("libnftables: Implement JSON parser") Signed-off-by: Sebastian Walz (sivizius) Signed-off-by: Pablo Neira Ayuso --- src/parser_json.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/parser_json.c b/src/parser_json.c index 461d9d31..de36c3ad 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -174,8 +174,11 @@ static int json_unpack_stmt(struct json_ctx *ctx, json_t *root, assert(value); if (json_object_size(root) != 1) { + const char *dump = json_dumps(root, 0); + json_error(ctx, "Malformed object (too many properties): '%s'.", - json_dumps(root, 0)); + dump); + xfree(dump); return 1; } @@ -3240,8 +3243,10 @@ static struct cmd *json_parse_cmd_add_set(struct json_ctx *ctx, json_t *root, } else if ((set->data = json_parse_dtype_expr(ctx, tmp))) { set->flags |= NFT_SET_MAP; } else { - json_error(ctx, "Invalid map type '%s'.", - json_dumps(tmp, 0)); + const char *dump = json_dumps(tmp, 0); + + json_error(ctx, "Invalid map type '%s'.", dump); + xfree(dump); set_free(set); handle_free(&h); return NULL; -- 2.47.2