From e29c979e885ab3f16ab6b2b26a33bc079bb39c88 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9A=D0=BE=D1=80=D0=B5=D0=BD=D0=B1=D0=B5=D1=80=D0=B3=20?=
 =?UTF-8?q?=D0=9C=D0=B0=D1=80=D0=BA?= <mark@ideco.ru>
Date: Thu, 2 Jul 2015 14:59:55 +0500
Subject: [PATCH] nf: fix potential bug in nfnl_queue_msg_set_payload() when
 malloc() failed

Suppose the case:
1. message have already some payload
2. malloc() failed

In that case:
1. msg->queue_msg_payload become NULL
2. msg->queue_msg_payload_len stay non-zero

Now when malloc() error occurs, nothing changed.

https://github.com/thom311/libnl/pull/83
---
 lib/netfilter/queue_msg_obj.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/lib/netfilter/queue_msg_obj.c b/lib/netfilter/queue_msg_obj.c
index b3b49ef..98f9a99 100644
--- a/lib/netfilter/queue_msg_obj.c
+++ b/lib/netfilter/queue_msg_obj.c
@@ -405,12 +405,15 @@ const uint8_t *nfnl_queue_msg_get_hwaddr(const struct nfnl_queue_msg *msg,
 int nfnl_queue_msg_set_payload(struct nfnl_queue_msg *msg, uint8_t *payload,
 			       int len)
 {
-	free(msg->queue_msg_payload);
-	msg->queue_msg_payload = malloc(len);
-	if (!msg->queue_msg_payload)
-		return -NLE_NOMEM;
+	void *new_payload = malloc(len);
 
-	memcpy(msg->queue_msg_payload, payload, len);
+	if (new_payload == NULL)
+		return -NLE_NOMEM;
+	memcpy(new_payload, payload, len);
+
+	free(msg->queue_msg_payload);
+
+	msg->queue_msg_payload = new_payload;
 	msg->queue_msg_payload_len = len;
 	msg->ce_mask |= QUEUE_MSG_ATTR_PAYLOAD;
 	return 0;