+++ This bug was initially created as a clone of Bug #1252344 +++ Use after free flaw was found in the following code: void nfct_helper_free(struct nfct_helper *h) { int i; free(h); for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) { if (h->expect_policy[i]) free(h->expect_policy[i]); } } This was reported on oss-security as potential vulnerability and fixed by upstream in master in commit 0c52422eb236b16bc663a7f22df3e30fb9c8bf71. It is also reported by Coverity: Error: USE_AFTER_FREE (CWE-825): [#def1] libnetfilter_cthelper-1.0.0/src/libnetfilter_cthelper.c:116: freed_arg: "free" frees "h". libnetfilter_cthelper-1.0.0/src/libnetfilter_cthelper.c:118: deref_after_free: Dereferencing freed pointer "h". # 116| free(h); # 117| for (i=0; i<NF_CT_HELPER_CLASS_MAX; i++) { # 118|-> if (h->expect_policy[i]) # 119| free(h->expect_policy[i]); # 120| } Additional info: https://bugzilla.netfilter.org/show_bug.cgi?id=990 http://seclists.org/oss-sec/2015/q2/228
*** This bug has been marked as a duplicate of bug 1252344 ***