oss-sec mailing list archives
use-after-free in src/libnetfilter_cthelper.c
From: Seth Arnold <seth.arnold () canonical com>
Date: Mon, 20 Apr 2015 19:57:10 -0700
Hello Pablo, all, I noticed a use-after-free in src/libnetfilter_cthelper.c: void nfct_helper_free(struct nfct_helper *h) { int i; free(h); for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) { if (h->expect_policy[i]) free(h->expect_policy[i]); } } A simple fix would move the free(h) line below the for() loop. Does this issue deserve a CVE? Determining exploitability is not my expertise. A simple browsable version can be found at: http://sources.debian.net/src/libnetfilter-cthelper/1.0.0-1/src/libnetfilter_cthelper.c/?hl=109#L108 Some callers of this function can be found in the conntrack package: https://codesearch.debian.net/results/nfct_helper_free%20package%3Aconntrack/page_0 Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- use-after-free in src/libnetfilter_cthelper.c Seth Arnold (Apr 20)
- Re: use-after-free in src/libnetfilter_cthelper.c Pablo Neira Ayuso (Apr 22)