Fix use-after-free in ipset_parse_name_compat()

When check_setname is used in ipset_parse_name_compat(), the
'str' and 'saved' macro arguments point in fact to the same
buffer. Free the 'saved' argument only after using it.

While at it, remove a useless NULL check on 'saved'.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

diff --git a/lib/parse.c b/lib/parse.c
index 9a79ccda796c4ccf18c61200801c888b1e648582..4963d519c6312ce77534dae31560d40b2c8162cc 100644 (file)
--- a/lib/parse.c
+++ b/lib/parse.c
@@ -1396,10 +1396,11 @@ ipset_parse_iptimeout(struct ipset_session *session,
 #define check_setname(str, saved)                                      \
 do {                                                                   \
        if (strlen(str) > IPSET_MAXNAMELEN - 1) {                       \
-               if (saved != NULL)                                      \
-                       free(saved);                                    \
-               return syntax_err("setname '%s' is longer than %u characters",\
+               int err;                                                \
+               err = syntax_err("setname '%s' is longer than %u characters",\
                                  str, IPSET_MAXNAMELEN - 1);           \
+               free(saved);                                            \
+               return err;                                             \
        }                                                               \
 } while (0)