From d2915c3e86b24b9e68a1eecc843f005f8c27579fcb2ea26963a42e676ad46541 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Mon, 8 Dec 2014 17:16:34 +0000
Subject: [PATCH] Accepting request 264334 from
 home:chorler:branches:security:netfilter

I'm experimenting with conntrack / conntrackd, when running nfct I got a segfault.

The segfault is fixed by moving the first free:

GDB shows the segfault on free of the pointer 0x45454545...  Valgrind shows me this:
==5278== Invalid read of size 8
==5278==    at 0x523E970: nfct_helper_free (libnetfilter_cthelper.c:118)
==5278==    by 0x403361: nfct_cmd_helper_add (helper.c:249)
==5278==    by 0x401EB0: main (nfct.c:77)
==5278==  Address 0x59f4618 is 40 bytes inside a block of size 80 free'd
==5278==    at 0x4C28ADC: free (vg_replace_malloc.c:446)
==5278==    by 0x523E96F: nfct_helper_free (libnetfilter_cthelper.c:116)
==5278==    by 0x403361: nfct_cmd_helper_add (helper.c:249)
==5278==    by 0x401EB0: main (nfct.c:77)

OBS-URL: https://build.opensuse.org/request/show/264334
OBS-URL: https://build.opensuse.org/package/show/security:netfilter/libnetfilter_cthelper?expand=0&rev=20
---
 fix_h_expect_policy_free.patch | 15 +++++++++++++++
 libnetfilter_cthelper.changes  |  5 +++++
 libnetfilter_cthelper.spec     |  2 ++
 3 files changed, 22 insertions(+)
 create mode 100644 fix_h_expect_policy_free.patch

diff --git a/fix_h_expect_policy_free.patch b/fix_h_expect_policy_free.patch
new file mode 100644
index 0000000..6f767c9
--- /dev/null
+++ b/fix_h_expect_policy_free.patch
@@ -0,0 +1,15 @@
+--- libnetfilter_cthelper-1.0.0.orig/src/libnetfilter_cthelper.c	2012-06-05 17:59:28.810356258 +0100
++++ libnetfilter_cthelper-1.0.0/src/libnetfilter_cthelper.c	2014-12-07 19:52:55.769975500 +0000
+@@ -113,11 +113,11 @@
+ {
+ 	int i;
+ 
+-	free(h);
+ 	for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) {
+ 		if (h->expect_policy[i])
+ 			free(h->expect_policy[i]);
+ 	}
++	free(h);
+ }
+ EXPORT_SYMBOL(nfct_helper_free);
+ 
diff --git a/libnetfilter_cthelper.changes b/libnetfilter_cthelper.changes
index 79519e8..3249e4d 100644
--- a/libnetfilter_cthelper.changes
+++ b/libnetfilter_cthelper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Sun Dec  7 19:58:44 UTC 2014 - cshorler@googlemail.com
+
+- fix segfault due to free of free'd pointer 
+
 -------------------------------------------------------------------
 Tue Sep 23 15:43:40 UTC 2014 - jengelh@inai.de
 
diff --git a/libnetfilter_cthelper.spec b/libnetfilter_cthelper.spec
index 45267da..aed4e02 100644
--- a/libnetfilter_cthelper.spec
+++ b/libnetfilter_cthelper.spec
@@ -31,6 +31,7 @@ Source:         http://netfilter.org/projects/libnetfilter_cthelper/files/%name-
 Source2:        http://netfilter.org/projects/libnetfilter_cthelper/files/%name-%version.tar.bz2.sig
 Source3:        baselibs.conf
 Source4:        %name.keyring
+Patch0:         fix_h_expect_policy_free.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 #BuildRequires:  autoconf
 #BuildRequires:  automake >= 1.6
@@ -61,6 +62,7 @@ Netfilter userspace helper infrastructure.
 
 %prep
 %setup -q
+%patch0 -p1
 
 %build
 if [ ! -e configure ]; then