From patchwork Tue Feb 11 17:09:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Phil Sutter X-Patchwork-Id: 1236380 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=nwl.cc Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 48H8Q65ypqz9s3x for ; Wed, 12 Feb 2020 04:09:18 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728696AbgBKRJS (ORCPT ); Tue, 11 Feb 2020 12:09:18 -0500 Received: from orbyte.nwl.cc ([151.80.46.58]:33676 "EHLO orbyte.nwl.cc" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728369AbgBKRJR (ORCPT ); Tue, 11 Feb 2020 12:09:17 -0500 Received: from localhost ([::1]:46764 helo=tatos) by orbyte.nwl.cc with esmtp (Exim 4.91) (envelope-from ) id 1j1Z2C-0004Ee-A3; Tue, 11 Feb 2020 18:09:16 +0100 From: Phil Sutter To: Pablo Neira Ayuso Cc: netfilter-devel@vger.kernel.org, Arturo Borrero Gonzalez Subject: [iptables PATCH] xtables-restore: fix for --noflush and empty lines Date: Tue, 11 Feb 2020 18:09:13 +0100 Message-Id: <20200211170913.2374-1-phil@nwl.cc> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Lookahead buffer used for cache requirements estimate in restore --noflush separates individual lines with nul-chars. Two consecutive nul-chars are interpreted as end of buffer and remaining buffer content is skipped. Sadly, reading an empty line (i.e., one containing a newline character only) caused double nul-chars to appear in buffer as well, leading to premature stop when reading cached lines from buffer. To fix that, make use of xtables_restore_parse_line() skipping empty lines without calling strtok() and just leave the newline character in place. A more intuitive approach, namely skipping empty lines while buffering, is deliberately not chosen as that would cause wrong values in 'line' variable. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1400 Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation") Signed-off-by: Phil Sutter Acked-by: Arturo Borrero Gonzalez --- .../ipt-restore/0011-noflush-empty-line_0 | 16 ++++++++++++++++ iptables/xtables-restore.c | 8 +++++--- 2 files changed, 21 insertions(+), 3 deletions(-) create mode 100755 iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 diff --git a/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 new file mode 100755 index 0000000000000..bea1a690bb624 --- /dev/null +++ b/iptables/tests/shell/testcases/ipt-restore/0011-noflush-empty-line_0 @@ -0,0 +1,16 @@ +#!/bin/bash -e + +# make sure empty lines won't break --noflush + +cat <in)) { size_t blen = strlen(buffer); - /* drop trailing newline; xtables_restore_parse_line() + /* Drop trailing newline; xtables_restore_parse_line() * uses strtok() which replaces them by nul-characters, * causing unpredictable string delimiting in - * preload_buffer */ - if (buffer[blen - 1] == '\n') + * preload_buffer. + * Unless this is an empty line which would fold into a + * spurious EoB indicator (double nul-char). */ + if (buffer[blen - 1] == '\n' && blen > 1) buffer[blen - 1] = '\0'; else blen++;