|
 |
576484 |
From 25af0fd3a7edd9a9aa5ed7ed63188456ee6389ef Mon Sep 17 00:00:00 2001
|
|
|
576484 |
From: Phil Sutter <phil@nwl.cc>
|
|
|
576484 |
Date: Wed, 4 Dec 2019 09:56:06 +0100
|
|
|
576484 |
Subject: [PATCH] xtables-restore: Fix parser feed from line buffer
|
|
|
576484 |
|
|
|
576484 |
When called with --noflush, xtables-restore would trip over chain lines:
|
|
|
576484 |
Parser uses strtok() to separate chain name, policy and counters which
|
|
|
576484 |
inserts nul-chars into the source string. Therefore strlen() can't be
|
|
|
576484 |
used anymore to find end of line. Fix this by caching line length before
|
|
|
576484 |
calling xtables_restore_parse_line().
|
|
|
576484 |
|
|
|
576484 |
Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
|
|
|
576484 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
576484 |
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
576484 |
(cherry picked from commit a103fbfadf4c17b8b12caa57eef72deaaa71a18c)
|
|
|
576484 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
576484 |
---
|
|
|
576484 |
.../testcases/ipt-restore/0010-noflush-new-chain_0 | 10 ++++++++++
|
|
|
576484 |
iptables/xtables-restore.c | 4 +++-
|
|
|
576484 |
2 files changed, 13 insertions(+), 1 deletion(-)
|
|
|
576484 |
create mode 100755 iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
|
|
|
576484 |
|
|
|
576484 |
diff --git a/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
|
|
|
576484 |
new file mode 100755
|
|
|
576484 |
index 0000000000000..739e684a21183
|
|
|
576484 |
--- /dev/null
|
|
|
576484 |
+++ b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
|
|
|
576484 |
@@ -0,0 +1,10 @@
|
|
|
576484 |
+#!/bin/sh -e
|
|
|
576484 |
+
|
|
|
576484 |
+# assert input feed from buffer doesn't trip over
|
|
|
576484 |
+# added nul-chars from parsing chain line.
|
|
|
576484 |
+
|
|
|
576484 |
+$XT_MULTI iptables-restore --noflush <
|
|
|
576484 |
+*filter
|
|
|
576484 |
+:foobar - [0:0]
|
|
|
576484 |
+-A foobar -j ACCEPT
|
|
|
576484 |
+COMMIT
|
|
|
576484 |
diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
|
|
|
576484 |
index 2f0fe7d439d94..dd907e0b8ddd5 100644
|
|
|
576484 |
--- a/iptables/xtables-restore.c
|
|
|
576484 |
+++ b/iptables/xtables-restore.c
|
|
|
576484 |
@@ -327,10 +327,12 @@ void xtables_restore_parse(struct nft_handle *h,
|
|
|
576484 |
line = 0;
|
|
|
576484 |
ptr = preload_buffer;
|
|
|
576484 |
while (*ptr) {
|
|
|
576484 |
+ size_t len = strlen(ptr);
|
|
|
576484 |
+
|
|
|
576484 |
h->error.lineno = ++line;
|
|
|
576484 |
DEBUGP("%s: buffered line %d: '%s'\n", __func__, line, ptr);
|
|
|
576484 |
xtables_restore_parse_line(h, p, &state, ptr);
|
|
|
576484 |
- ptr += strlen(ptr) + 1;
|
|
|
576484 |
+ ptr += len + 1;
|
|
|
576484 |
}
|
|
|
576484 |
if (*buffer) {
|
|
|
576484 |
h->error.lineno = ++line;
|
|
|
576484 |
--
|
|
|
576484 |
2.24.0
|
|
|
576484 |
|