From patchwork Wed Feb 25 15:00:56 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans Dedecker X-Patchwork-Id: 443429 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from arrakis.dune.hu (arrakis.dune.hu [78.24.191.176]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 69312140083 for ; Thu, 26 Feb 2015 02:01:26 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="verification failed; unprotected key" header.d=gmail.com header.i=@gmail.com header.b=ciXe/8hE; dkim-adsp=none (unprotected policy); dkim-atps=neutral Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id DB08628C186; Wed, 25 Feb 2015 16:01:09 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on arrakis.dune.hu X-Spam-Level: X-Spam-Status: No, score=-1.5 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=unavailable version=3.3.2 Received: from arrakis.dune.hu (localhost [127.0.0.1]) by arrakis.dune.hu (Postfix) with ESMTP id 765B128C186 for ; Wed, 25 Feb 2015 16:01:07 +0100 (CET) X-policyd-weight: using cached result; rate:hard: -8.5 Received: from mail-we0-f173.google.com (mail-we0-f173.google.com [74.125.82.173]) by arrakis.dune.hu (Postfix) with ESMTPS for ; Wed, 25 Feb 2015 16:01:02 +0100 (CET) Received: by wevm14 with SMTP id m14so4148557wev.8 for ; Wed, 25 Feb 2015 07:01:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:cc:subject:date:message-id; bh=NOJOj3fcNQvxAciMQGyvwjkuHQ0clzPYVZTXZKjCxHA=; b=ciXe/8hEio7IpS/HV/r7I27Ia70ytL1a2QapXDhTd45kx8vAYqc9YMBoajhqa1YjaI kP5dZAEm8XNp08NDROM2ACR/eUk8AsTqqs/ORW/nTBHKUFZ17QDqi2voouXoypYw8d9j usQYIacaZMiWOBapSAFcnrCv0pfeij2jEc/WlxrnsD4BpmXiE/kth8tbY37BBgeQVvcY SErdk0jRiQHQ3mgKroZqE9FqOsGqaR5S8sYN4R56W5W33V/MZRZ80k6jMAHBJV90Wchn cOjV0rO9MLv2m1glZuQeQa70o63m1oYtZBIC/6xyrsKXapetSw9G8VKrBxBEPL0PM8zB 8InA== X-Received: by 10.180.90.176 with SMTP id bx16mr10418754wib.14.1424876472017; Wed, 25 Feb 2015 07:01:12 -0800 (PST) Received: from cplx43.eu.thmulti.com ([141.11.62.7]) by mx.google.com with ESMTPSA id kr5sm60226130wjc.1.2015.02.25.07.01.09 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 Feb 2015 07:01:10 -0800 (PST) From: Hans Dedecker To: openwrt-devel@lists.openwrt.org Date: Wed, 25 Feb 2015 16:00:56 +0100 Message-Id: <1424876456-7729-1-git-send-email-dedeckeh@gmail.com> X-Mailer: git-send-email 1.9.1 Cc: Hans Dedecker Subject: [OpenWrt-Devel] [PATCH] firewall3: fix null pointer access when no target is present X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openwrt-devel-bounces@lists.openwrt.org Sender: "openwrt-devel" Signed-off-by: Hans Dedecker --- iptables.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/iptables.c b/iptables.c index 03987af..ca84761 100644 --- a/iptables.c +++ b/iptables.c @@ -1199,7 +1199,9 @@ rule_mask(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += SZ(ip6t_entry_match) + m->match->size; - s += SZ(ip6t_entry_target) + r->target->size; + s += SZ(ip6t_entry_target); + if (r->target) + s += r->target->size; mask = fw3_alloc(s); memset(mask, 0xFF, SZ(ip6t_entry)); @@ -1211,7 +1213,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ip6t_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ip6t_entry_target) + r->target->userspacesize); + memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0); } else #endif @@ -1221,7 +1223,9 @@ rule_mask(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += SZ(ipt_entry_match) + m->match->size; - s += SZ(ipt_entry_target) + r->target->size; + s += SZ(ipt_entry_target); + if (r->target) + s += r->target->size; mask = fw3_alloc(s); memset(mask, 0xFF, SZ(ipt_entry)); @@ -1233,7 +1237,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ipt_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ipt_entry_target) + r->target->userspacesize); + memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0); } return mask; @@ -1242,7 +1246,7 @@ rule_mask(struct fw3_ipt_rule *r) static void * rule_build(struct fw3_ipt_rule *r) { - size_t s; + size_t s, target_size = (r->target) ? r->target->t->u.target_size : 0; struct xtables_rule_match *m; #ifndef DISABLE_IPV6 @@ -1255,12 +1259,12 @@ rule_build(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += m->match->m->u.match_size; - e6 = fw3_alloc(s + r->target->t->u.target_size); + e6 = fw3_alloc(s + target_size); memcpy(e6, &r->e6, sizeof(struct ip6t_entry)); e6->target_offset = s; - e6->next_offset = s + r->target->t->u.target_size; + e6->next_offset = s + target_size; s = 0; @@ -1270,7 +1274,8 @@ rule_build(struct fw3_ipt_rule *r) s += m->match->m->u.match_size; } - memcpy(e6->elems + s, r->target->t, r->target->t->u.target_size); + if (target_size) + memcpy(e6->elems + s, r->target->t, target_size); return e6; } @@ -1284,12 +1289,12 @@ rule_build(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += m->match->m->u.match_size; - e = fw3_alloc(s + r->target->t->u.target_size); + e = fw3_alloc(s + target_size); memcpy(e, &r->e, sizeof(struct ipt_entry)); e->target_offset = s; - e->next_offset = s + r->target->t->u.target_size; + e->next_offset = s + target_size; s = 0; @@ -1299,7 +1304,8 @@ rule_build(struct fw3_ipt_rule *r) s += m->match->m->u.match_size; } - memcpy(e->elems + s, r->target->t, r->target->t->u.target_size); + if (target_size) + memcpy(e->elems + s, r->target->t, target_size); return e; }