[PATCH 8/9] netfilter/ct: fix calling nfnl_*_put() on uninitialized memory after nfnlmsg_*_parse()

Thomas Haller thaller at redhat.com
Tue Jun 10 09:59:44 PDT 2014 

nfnlmsg_*_parse() does not assign *result on error. So this will
lead to freeing a dangling pointer.

Error found by coverity.

Signed-off-by: Thomas Haller <thaller at redhat.com>
---
 lib/netfilter/ct.c        | 3 +--
 lib/netfilter/exp.c       | 3 +--
 lib/netfilter/log_msg.c   | 3 +--
 lib/netfilter/queue_msg.c | 3 +--
 4 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/lib/netfilter/ct.c b/lib/netfilter/ct.c
index 04f9d01..36a83db 100644
--- a/lib/netfilter/ct.c
+++ b/lib/netfilter/ct.c
@@ -414,10 +414,9 @@ static int ct_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
 	int err;
 
 	if ((err = nfnlmsg_ct_parse(nlh, &ct)) < 0)
-		goto errout;
+		return err;
 
 	err = pp->pp_cb((struct nl_object *) ct, pp);
-errout:
 	nfnl_ct_put(ct);
 	return err;
 }
diff --git a/lib/netfilter/exp.c b/lib/netfilter/exp.c
index 86ed8d1..9cfdd2b 100644
--- a/lib/netfilter/exp.c
+++ b/lib/netfilter/exp.c
@@ -298,10 +298,9 @@ static int exp_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
 	int err;
 
 	if ((err = nfnlmsg_exp_parse(nlh, &exp)) < 0)
-		goto errout;
+		return err;
 
 	err = pp->pp_cb((struct nl_object *) exp, pp);
-errout:
 	nfnl_exp_put(exp);
 	return err;
 }
diff --git a/lib/netfilter/log_msg.c b/lib/netfilter/log_msg.c
index 6e09da2..5ffdaf8 100644
--- a/lib/netfilter/log_msg.c
+++ b/lib/netfilter/log_msg.c
@@ -174,10 +174,9 @@ static int log_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
 	int err;
 
 	if ((err = nfnlmsg_log_msg_parse(nlh, &msg)) < 0)
-		goto errout;
+		return err;
 
 	err = pp->pp_cb((struct nl_object *) msg, pp);
-errout:
 	nfnl_log_msg_put(msg);
 	return err;
 }
diff --git a/lib/netfilter/queue_msg.c b/lib/netfilter/queue_msg.c
index 1425577..3388923 100644
--- a/lib/netfilter/queue_msg.c
+++ b/lib/netfilter/queue_msg.c
@@ -153,10 +153,9 @@ static int queue_msg_parser(struct nl_cache_ops *ops, struct sockaddr_nl *who,
 	int err;
 
 	if ((err = nfnlmsg_queue_msg_parse(nlh, &msg)) < 0)
-		goto errout;
+		return err;
 
 	err = pp->pp_cb((struct nl_object *) msg, pp);
-errout:
 	nfnl_queue_msg_put(msg);
 	return err;
 }
-- 
1.9.3

More information about the libnl mailing list