diff options
author | V3n3RiX <venerix@koprulu.sector> | 2022-02-02 01:39:05 +0000 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2022-02-02 01:39:05 +0000 |
commit | fcc5224904648a8e6eb528d7603154160a20022f (patch) | |
tree | 3bfce096b38a9cea8eed13fc70c1526c456e9abd /net-firewall/iptables/files | |
parent | 2fd57282f0262ca084e05b0f2c63fbada395d02b (diff) |
gentoo resync : 02.02.2022
Diffstat (limited to 'net-firewall/iptables/files')
-rw-r--r-- | net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch new file mode 100644 index 000000000000..fc88636d2944 --- /dev/null +++ b/net-firewall/iptables/files/iptables-1.8.7-cache-double-free.patch @@ -0,0 +1,61 @@ +commit 4318961230bce82958df82b57f1796143bf2f421 +Author: Phil Sutter <phil@nwl.cc> +Date: Tue Sep 21 11:39:45 2021 +0200 + + nft: cache: Avoid double free of unrecognized base-chains + + On error, nft_cache_add_chain() frees the allocated nft_chain object + along with the nftnl_chain it points at. Fix nftnl_chain_list_cb() to + not free the nftnl_chain again in that case. + + Fixes: 176c92c26bfc9 ("nft: Introduce a dedicated base chain array") + Signed-off-by: Phil Sutter <phil@nwl.cc> + +diff --git a/iptables/nft-cache.c b/iptables/nft-cache.c +index 2c88301c..9a03bbfb 100644 +--- a/iptables/nft-cache.c ++++ b/iptables/nft-cache.c +@@ -314,9 +314,7 @@ static int nftnl_chain_list_cb(const struct nlmsghdr *nlh, void *data) + goto out; + } + +- if (nft_cache_add_chain(h, t, c)) +- goto out; +- ++ nft_cache_add_chain(h, t, c); + return MNL_CB_OK; + out: + nftnl_chain_free(c); +diff --git a/iptables/tests/shell/testcases/chain/0004extra-base_0 b/iptables/tests/shell/testcases/chain/0004extra-base_0 +new file mode 100755 +index 00000000..1b85b060 +--- /dev/null ++++ b/iptables/tests/shell/testcases/chain/0004extra-base_0 +@@ -0,0 +1,27 @@ ++#!/bin/bash ++ ++case $XT_MULTI in ++*xtables-nft-multi) ++ ;; ++*) ++ echo skip $XT_MULTI ++ exit 0 ++ ;; ++esac ++ ++set -e ++ ++nft -f - <<EOF ++table ip filter { ++ chain INPUT { ++ type filter hook input priority filter ++ counter packets 218 bytes 91375 accept ++ } ++ ++ chain x { ++ type filter hook input priority filter ++ } ++} ++EOF ++ ++$XT_MULTI iptables -L |