Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 20 Apr 2015 19:57:10 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: pablo@...filter.org
Cc: oss-security@...ts.openwall.com, security@...ntu.com
Subject: use-after-free in src/libnetfilter_cthelper.c

Hello Pablo, all,

I noticed a use-after-free in src/libnetfilter_cthelper.c:

void nfct_helper_free(struct nfct_helper *h)
{
        int i;

        free(h);
        for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) {
                if (h->expect_policy[i])
                        free(h->expect_policy[i]);
        }
}

A simple fix would move the free(h) line below the for() loop.

Does this issue deserve a CVE? Determining exploitability is not my
expertise.

A simple browsable version can be found at:
http://sources.debian.net/src/libnetfilter-cthelper/1.0.0-1/src/libnetfilter_cthelper.c/?hl=109#L108

Some callers of this function can be found in the conntrack package:
https://codesearch.debian.net/results/nfct_helper_free%20package%3Aconntrack/page_0

Thanks

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ