netfilter: nf_tables: fix double-free on set expression from the error path

After copying the expression to the set element extension, release the expression and reset the pointer to avoid a double-free from the error path. Fixes: 4094445229 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-03-18 01:14:58 +01:00 · 2020-03-18 01:14:58 +01:00 · 772f4e82b3
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@ -5133,6 +5133,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 	if (expr) {
 		memcpy(nft_set_ext_expr(ext), expr, expr->ops->size);
 		kfree(expr);
+		expr = NULL;
 	}

 	trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set);