A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
\[1\]    13064 segmentation fault  ~/AlphaFuzz-Experiment/projects/baseline0711/afl-fig2dev/fuzz\_bin/fig2dev -L

**AddressSanitizer output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
ASAN:SIGSEGV
\=================================================================
\==6829\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000051a094 bp 0x7fff3739baa0 sp 0x7fff3739b8f0 T0)
    #0 0x51a093 in open\_stream /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215
    #1 0x4b2aa8 in genps\_line /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/genps.c:1672
    #2 0x412a7d in gendev\_objects /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:1008
    #3 0x411481 in main /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:485
    #4 0x7f25954e683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215 open\_stream
\==6829\==ABORTING

CVE-2021-37530: Xfig / Tickets

A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\*\*\* Error in \`../../fig2dev': double free or corruption (!prev): 0x0000000000cfc030 \*\*\*
\======= Backtrace: \=========
/lib/x86\_64-linux-gnu/libc.so.6(+0x777f5)\[0x7f7fd7b6f7f5\]
/lib/x86\_64-linux-gnu/libc.so.6(+0x8038a)\[0x7f7fd7b7838a\]
/lib/x86\_64-linux-gnu/libc.so.6(cfree+0x4c)\[0x7f7fd7b7c58c\]
../../fig2dev\[0x4bbb2b\]
../../fig2dev\[0x47accd\]
../../fig2dev\[0x411b24\]
/lib/x86\_64-linux-gnu/libc.so.6(\_\_libc\_start\_main+0xf0)\[0x7f7fd7b18840\]
../../fig2dev\[0x402c09\]
\======= Memory map: \========
00400000\-004ec000 r-xp 00000000 08:11 27664590                           ../../fig2dev
006ec000-006ed000 r--p 000ec000 08:11 27664590                           ../../fig2dev
006ed000-00700000 rw-p 000ed000 08:11 27664590                           ../../fig2dev
00700000\-0071b000 rw-p 00000000 00:00 0
00cfb000-00d1c000 rw-p 00000000 00:00 0                                  \[heap\]
7f7fd0000000-7f7fd0021000 rw-p 00000000 00:00 0
7f7fd0021000-7f7fd4000000 ---p 00000000 00:00 0
7f7fd7579000-7f7fd7590000 r-xp 00000000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7590000-7f7fd778f000 ---p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd778f000-7f7fd7790000 r--p 00016000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7790000-7f7fd7791000 rw-p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7791000-7f7fd7af8000 r--p 00000000 08:02 38010883                   /usr/lib/locale/locale-archive
7f7fd7af8000-7f7fd7cb8000 r-xp 00000000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7cb8000-7f7fd7eb8000 ---p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7eb8000-7f7fd7ebc000 r--p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebc000-7f7fd7ebe000 rw-p 001c4000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebe000-7f7fd7ec2000 rw-p 00000000 00:00 0
7f7fd7ec2000-7f7fd7fca000 r-xp 00000000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd7fca000-7f7fd81c9000 ---p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81c9000-7f7fd81ca000 r--p 00107000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81ca000-7f7fd81cb000 rw-p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81cb000-7f7fd81e4000 r-xp 00000000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd81e4000-7f7fd83e3000 ---p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e3000-7f7fd83e4000 r--p 00018000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e4000-7f7fd83e5000 rw-p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e5000-7f7fd8409000 r-xp 00000000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8409000-7f7fd8608000 ---p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8608000-7f7fd8609000 r--p 00023000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8609000-7f7fd860a000 rw-p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd860a000-7f7fd8630000 r-xp 00000000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd87fb000-7f7fd8800000 rw-p 00000000 00:00 0
7f7fd882e000-7f7fd882f000 rw-p 00000000 00:00 0
7f7fd882f000-7f7fd8830000 r--p 00025000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8830000-7f7fd8831000 rw-p 00026000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8831000-7f7fd8832000 rw-p 00000000 00:00 0
7ffc8c5c7000-7ffc8c5e8000 rw-p 00000000 00:00 0                          \[stack\]
7ffc8c5ec000-7ffc8c5ee000 r--p 00000000 00:00 0                          \[vvar\]
7ffc8c5ee000-7ffc8c5f0000 r-xp 00000000 00:00 0                          \[vdso\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]
\[1\]    32228 abort      ../../fig2dev -L

**AddressSanitizer output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\=================================================================
\==28522\==ERROR: AddressSanitizer: attempting double-free on 0x610000007d40 in thread T0:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x4b2b32 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1674
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #6 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

0x610000007d40 is located 0 bytes inside of 180\-byte region \[0x610000007d40,0x610000007df4)
freed by thread T0 here:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x51a022 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:211
    #3 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #4 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #5 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #6 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

previously allocated by thread T0 here:
    #0 0x7f58f2415662 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x519f58 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:199
    #2 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: double-free ??:0 \_\_interceptor\_free
\==28522\==ABORTING

CVE-2021-37529: Xfig / Tickets

A buffer overflow in the GmfOpenMesh() function of libMeshb v7.61 allows attackers to cause a Denial of Service (DoS) via a crafted MESH file.

@@ -1,5 +1,5 @@  
c libmeshb example : transform a quadrilateral mesh into a triangular one c libmeshb example: transform a quadrilateral mesh into a triangular one c using fast block transfer and pipelined post processing  
include 'libmeshb7.ins' @@ -39,14 +39,15 @@  
c Read the vertices res \= gmfgetblock(InpMsh, GmfVertices, 1\_8, NmbVer, + movver, 1, VerTab, + 0, %val(0), movver, 1, VerTab, + GmfDouble, VerTab(1,1), VerTab(1,2), + GmfDouble, VerTab(2,1), VerTab(2,2), + GmfDouble, VerTab(3,1), VerTab(3,2), + GmfInt, RefTab(1), RefTab(2))  
c Read the quads res \= gmfgetblock(InpMsh, GmfQuadrilaterals, 1\_8, NmbQad,0, res \= gmfgetblock(InpMsh, GmfQuadrilaterals, 1\_8, NmbQad, + 0, %val(0), %val(0), + GmfInt, QadTab(1,1), QadTab(1,2), + GmfInt, QadTab(2,1), QadTab(2,2), + GmfInt, QadTab(3,1), QadTab(3,2), @@ -79,7 +80,7 @@ c Write the triangles res \= gmfsetkwd(OutMsh, GmfTriangles, 2\*NmbQad, 0, 0) res \= gmfsetblock(OutMsh, GmfTriangles, 1\_8, 2\*NmbQad, + 0,%val(0),%val(0), + 0,%val(0), + qad2tri, 2, QadTab, TriTab, + GmfInt, TriTab(1,1), TriTab(1,2), + GmfInt, TriTab(2,1), TriTab(2,2),

CVE-2021-46225: Removed a potential buffer overflow crash in GmfOpenMesh and debugged… · LoicMarechal/libMeshb@8cd68c5

A heap-based buffer overflow vulnerability exists in GPAC v1.0.1 in the gf_isom_dovi_config_get function in MP4Box, which causes a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred in function gf\_isom\_dovi\_config\_get of isomedia/avc\_ext.c:2435 when running program MP4Box,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc\_heap.zip

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

command line

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    * Movie Info *
    	Timescale 90000 - 2 tracks
    Segmentation fault
    
    

asan info

    =================================================================
    ==1042542==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x610000000130 at pc 0x7fc6ede92514 bp 0x7ffcfced6850 sp 0x7ffcfced6840
    READ of size 8 at 0x610000000130 thread T0
        #0 0x7fc6ede92513 in gf_isom_dovi_config_get isomedia/avc_ext.c:2435
        #1 0x7fc6ee2fec1e in gf_media_get_rfc_6381_codec_name media_tools/isom_tools.c:4207
        #2 0x558b1bf03ac5 in DumpTrackInfo /home.../gpac/gpac-master/applications/mp4box/filedump.c:3442
        #3 0x558b1bf18f44 in DumpMovieInfo /home.../gpac/gpac-master/applications/mp4box/filedump.c:3777
        #4 0x558b1bed571d in mp4boxMain /home.../gpac/gpac-master/applications/mp4box/main.c:5991
        #5 0x7fc6ed2390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #6 0x558b1be77f1d in _start (/home.../gpac/gpac-master/bin/gcc/MP4Boxfl+0x48f1d)
    
    Address 0x610000000130 is a wild pointer.
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/avc_ext.c:2435 in gf_isom_dovi_config_get
    Shadow bytes around the buggy address:
      0x0c207fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c207fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c207fff8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c207fff8020: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa
      0x0c207fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c207fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==1042542==ABORTING
    

source code

    2428 GF_DOVIDecoderConfigurationRecord *gf_isom_dovi_config_get(GF_ISOFile* the_file, u32 trackNumber, u32 DescriptionIndex)
    2429 {
    2430 	GF_TrackBox* trak;
    2431 	GF_MPEGVisualSampleEntryBox *entry;
    2432 	trak = gf_isom_get_track_from_file(the_file, trackNumber);
    2433 	if (!trak || !trak->Media || !DescriptionIndex) return NULL;
    2434 	entry = (GF_MPEGVisualSampleEntryBox*)gf_list_get(trak->Media->information->sampleTable->SampleDescription->child_boxes, DescriptionIndex - 1);
    2435 	if (!entry || !entry->dovi_config) return NULL;
    2436 	return DOVI_DuplicateConfig(&entry->dovi_config->DOVIConfig);
    2437 }

CVE-2021-36417: A heap-buffer-overflow has occurred in function gf_isom_dovi_config_get · Issue #1846 · gpac/gpac

An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition. This issue impacts: Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12; Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9; Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4; Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.

*   Get support
*   Security advisories
*   Report vulnerabilities
*   Subscribe
*   RSS feed

Palo Alto Networks Security Advisories / CVE-2022-0012

Attack Vector **LOCAL**

Attack Complexity **LOW**

Privileges Required **LOW**

User Interaction **NONE**

Scope **UNCHANGED**

Confidentiality Impact **NONE**

Integrity Impact **LOW**

Availability Impact **HIGH**

NVD JSON

Published **2022-01-12**

Updated **2022-01-12**

Reference **CPATR-13408**

Discovered **externally**

**Description**

An improper link resolution before file access vulnerability exists in the Palo Alto Networks Cortex XDR agent on Windows platforms that enables a local user to delete arbitrary system files and impact the system integrity or cause a denial of service condition.

This issue impacts:

Cortex XDR agent 5.0 versions earlier than Cortex XDR agent 5.0.12;

Cortex XDR agent 6.1 versions earlier than Cortex XDR agent 6.1.9;

Cortex XDR agent 7.2 versions earlier than Cortex XDR agent 7.2.4;

Cortex XDR agent 7.3 versions earlier than Cortex XDR agent 7.3.2.

**Product Status**

Versions

Affected

Unaffected

Cortex XDR Agent 7.6

None

7.6.\* on Windows

Cortex XDR Agent 7.5

None

7.5.\* on Windows

Cortex XDR Agent 7.4

None

7.4.\* on Windows

Cortex XDR Agent 7.3

< 7.3.2 on Windows

\>= 7.3.2 on Windows

Cortex XDR Agent 7.2

< 7.2.4 on Windows

\>= 7.2.4 on Windows

Cortex XDR Agent 6.1

< 6.1.9 on Windows

\>= 6.1.9 on Windows

Cortex XDR Agent 5.0

< 5.0.12 on Windows

\>= 5.0.12 on Windows

**Severity: MEDIUM**

CVSSv3.1 Base Score: 6.1 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)

**Exploitation Status**

Palo Alto Networks is not aware of any malicious exploitation of this issue.

**Weakness Type**

CWE-59 Improper Link Resolution Before File Access ('Link Following')

**Solution**

This issue is fixed in Cortex XDR agent 5.0.12, Cortex XDR agent 6.1.9, Cortex XDR agent 7.2.4, Cortex XDR agent 7.3.2, and all later Cortex XDR agent versions.

**Workarounds and Mitigations**

There is no known workaround available for this issue.

**Acknowledgments**

Palo Alto Networks thanks Chris Au for discovering and reporting this issue.

**Timeline**

2022-01-12 Initial publication

© 2020 Palo Alto Networks, Inc. All rights reserved.

CVE-2022-0012: CVE-2022-0012 Cortex XDR Agent: Local Arbitrary File Deletion Vulnerability

nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel before 5.12.13 allows local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expression in their own namespace.

nft\_set\_elem\_expr\_alloc() needs an initialized set if expression sets on the NFT\_EXPR\_GC flag. Move set fields initialization before expression setup. \[4512935.019450\] ================================================================== \[4512935.019456\] BUG: KASAN: null-ptr-deref in nft\_set\_elem\_expr\_alloc+0x84/0xd0 \[nf\_tables\] \[4512935.019487\] Read of size 8 at addr 0000000000000070 by task nft/23532 \[4512935.019494\] CPU: 1 PID: 23532 Comm: nft Not tainted 5.12.0-rc4+ #48 \[...\] \[4512935.019502\] Call Trace: \[4512935.019505\] dump\_stack+0x89/0xb4 \[4512935.019512\] ? nft\_set\_elem\_expr\_alloc+0x84/0xd0 \[nf\_tables\] \[4512935.019536\] ? nft\_set\_elem\_expr\_alloc+0x84/0xd0 \[nf\_tables\] \[4512935.019560\] kasan\_report.cold.12+0x5f/0xd8 \[4512935.019566\] ? nft\_set\_elem\_expr\_alloc+0x84/0xd0 \[nf\_tables\] \[4512935.019590\] nft\_set\_elem\_expr\_alloc+0x84/0xd0 \[nf\_tables\] \[4512935.019615\] nf\_tables\_newset+0xc7f/0x1460 \[nf\_tables\] Reported-by: syzbot+ce96ca2b1d0b37c6422d@syzkaller.appspotmail.com Fixes: 65038428b2c6 ("netfilter: nf\_tables: allow to specify stateful expression in set definition") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

@@ -4364,13 +4364,45 @@ static int nf\_tables\_newset(struct sk\_buff \*skb, const struct nfnl\_info \*info,

err = nf\_tables\_set\_alloc\_name(&ctx, set, name);

kfree(name);

if (err < 0)

\- goto err\_set\_alloc\_name;

\+ goto err\_set\_name;

+

\+ udata = NULL;

\+ if (udlen) {

\+ udata = set->data + size;

\+ nla\_memcpy(udata, nla\[NFTA\_SET\_USERDATA\], udlen);

\+ }

+

\+ INIT\_LIST\_HEAD(&set->bindings);

\+ INIT\_LIST\_HEAD(&set->catchall\_list);

\+ set->table = table;

\+ write\_pnet(&set->net, net);

\+ set->ops = ops;

\+ set->ktype = ktype;

\+ set->klen = desc.klen;

\+ set->dtype = dtype;

\+ set->objtype = objtype;

\+ set->dlen = desc.dlen;

\+ set->flags = flags;

\+ set->size = desc.size;

\+ set->policy = policy;

\+ set->udlen = udlen;

\+ set->udata = udata;

\+ set->timeout = timeout;

\+ set->gc\_int = gc\_int;

+

\+ set->field\_count = desc.field\_count;

\+ for (i = 0; i < desc.field\_count; i++)

\+ set->field\_len\[i\] = desc.field\_len\[i\];

+

\+ err = ops->init(set, &desc, nla);

\+ if (err < 0)

\+ goto err\_set\_init;

if (nla\[NFTA\_SET\_EXPR\]) {

expr = nft\_set\_elem\_expr\_alloc(&ctx, set, nla\[NFTA\_SET\_EXPR\]);

if (IS\_ERR(expr)) {

err = PTR\_ERR(expr);

\- goto err\_set\_alloc\_name;

\+ goto err\_set\_expr\_alloc;

}

set->exprs\[0\] = expr;

set->num\_exprs++;

@@ -4381,75 +4413,44 @@ static int nf\_tables\_newset(struct sk\_buff \*skb, const struct nfnl\_info \*info,

if (!(flags & NFT\_SET\_EXPR)) {

err = -EINVAL;

\- goto err\_set\_alloc\_name;

\+ goto err\_set\_expr\_alloc;

}

i = 0;

nla\_for\_each\_nested(tmp, nla\[NFTA\_SET\_EXPRESSIONS\], left) {

if (i == NFT\_SET\_EXPR\_MAX) {

err = -E2BIG;

\- goto err\_set\_init;

\+ goto err\_set\_expr\_alloc;

}

if (nla\_type(tmp) != NFTA\_LIST\_ELEM) {

err = -EINVAL;

\- goto err\_set\_init;

\+ goto err\_set\_expr\_alloc;

}

expr = nft\_set\_elem\_expr\_alloc(&ctx, set, tmp);

if (IS\_ERR(expr)) {

err = PTR\_ERR(expr);

\- goto err\_set\_init;

\+ goto err\_set\_expr\_alloc;

}

set->exprs\[i++\] = expr;

set->num\_exprs++;

}

}

\- udata = NULL;

\- if (udlen) {

\- udata = set->data + size;

\- nla\_memcpy(udata, nla\[NFTA\_SET\_USERDATA\], udlen);

\- }

\-

\- INIT\_LIST\_HEAD(&set->bindings);

\- INIT\_LIST\_HEAD(&set->catchall\_list);

\- set->table = table;

\- write\_pnet(&set->net, net);

\- set->ops = ops;

\- set->ktype = ktype;

\- set->klen = desc.klen;

\- set->dtype = dtype;

\- set->objtype = objtype;

\- set->dlen = desc.dlen;

\- set->flags = flags;

\- set->size = desc.size;

\- set->policy = policy;

\- set->udlen = udlen;

\- set->udata = udata;

\- set->timeout = timeout;

\- set->gc\_int = gc\_int;

set->handle = nf\_tables\_alloc\_handle(table);

\- set->field\_count = desc.field\_count;

\- for (i = 0; i < desc.field\_count; i++)

\- set->field\_len\[i\] = desc.field\_len\[i\];

\-

\- err = ops->init(set, &desc, nla);

\- if (err < 0)

\- goto err\_set\_init;

\-

err = nft\_trans\_set\_add(&ctx, NFT\_MSG\_NEWSET, set);

if (err < 0)

\- goto err\_set\_trans;

\+ goto err\_set\_expr\_alloc;

list\_add\_tail\_rcu(&set->list, &table->sets);

table->use++;

return 0;

\-err\_set\_trans:

\- ops->destroy(set);

\-err\_set\_init:

+err\_set\_expr\_alloc:

for (i = 0; i < set->num\_exprs; i++)

nft\_expr\_destroy(&ctx, set->exprs\[i\]);

\-err\_set\_alloc\_name:

+

\+ ops->destroy(set);

+err\_set\_init:

kfree(set->name);

err\_set\_name:

kvfree(set);

CVE-2021-46283: git/torvalds/linux.git - Linux kernel source tree

Windows Event Tracing Discretionary Access Control List Denial of Service Vulnerability.

CVE-2022-21839

Windows IKE Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-21848, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890.

CVE-2022-21843

Windows IKE Extension Denial of Service Vulnerability. This CVE ID is unique from CVE-2022-21843, CVE-2022-21883, CVE-2022-21889, CVE-2022-21890.

CVE-2022-21848

Windows Hyper-V Denial of Service Vulnerability.

Tag

#dos