use-after-free in src/libnetfilter_cthelper.c

[Seth Arnold <seth.arnold () canonical com>]

Hello Pablo, all,

I noticed a use-after-free in src/libnetfilter_cthelper.c:

void nfct_helper_free(struct nfct_helper *h)
{
        int i;

        free(h);
        for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) {
                if (h->expect_policy[i])
                        free(h->expect_policy[i]);
        }
}

A simple fix would move the free(h) line below the for() loop.

Does this issue deserve a CVE? Determining exploitability is not my
expertise.

A simple browsable version can be found at:
http://sources.debian.net/src/libnetfilter-cthelper/1.0.0-1/src/libnetfilter_cthelper.c/?hl=109#L108

Some callers of this function can be found in the conntrack package:
https://codesearch.debian.net/results/nfct_helper_free%20package%3Aconntrack/page_0

Thanks

Attachment: signature.asc
Description: Digital signature