From 623f05ed26bd7b3580954a2b495047ae976d360b Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 22 Aug 2018 11:22:53 +0200 Subject: [PATCH] Fix use-after-free in ipset_parse_name_compat() When check_setname is used in ipset_parse_name_compat(), the 'str' and 'saved' macro arguments point in fact to the same buffer. Free the 'saved' argument only after using it. While at it, remove a useless NULL check on 'saved'. Signed-off-by: Stefano Brivio Signed-off-by: Jozsef Kadlecsik --- lib/parse.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/parse.c b/lib/parse.c index 9a79ccd..4963d51 100644 --- a/lib/parse.c +++ b/lib/parse.c @@ -1396,10 +1396,11 @@ ipset_parse_iptimeout(struct ipset_session *session, #define check_setname(str, saved) \ do { \ if (strlen(str) > IPSET_MAXNAMELEN - 1) { \ - if (saved != NULL) \ - free(saved); \ - return syntax_err("setname '%s' is longer than %u characters",\ + int err; \ + err = syntax_err("setname '%s' is longer than %u characters",\ str, IPSET_MAXNAMELEN - 1); \ + free(saved); \ + return err; \ } \ } while (0) -- 2.40.0