|
 |
9a3fa7 |
From 72859f25cb799ba4ac0b532c59bd01be70950f00 Mon Sep 17 00:00:00 2001
|
|
|
9a3fa7 |
From: Phil Sutter <psutter@redhat.com>
|
|
|
9a3fa7 |
Date: Fri, 15 Mar 2019 17:51:28 +0100
|
|
|
9a3fa7 |
Subject: [PATCH] libiptc: Avoid side-effect in memset() calls
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
|
|
|
9a3fa7 |
Upstream Status: iptables commit e6f986762667e
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
commit e6f986762667ee2b2d61e7978d460f28916158a3
|
|
|
9a3fa7 |
Author: Phil Sutter <phil@nwl.cc>
|
|
|
9a3fa7 |
Date: Mon Sep 10 23:35:14 2018 +0200
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
libiptc: Avoid side-effect in memset() calls
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
These calls to memset() are passed a length argument which exceeds
|
|
|
9a3fa7 |
t->target.u.user.name's length by one byte and hence overwrite
|
|
|
9a3fa7 |
t->target.u.user.revision as well (relying upon no padding to happen
|
|
|
9a3fa7 |
between both).
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
Avoid this obscure behaviour by passing the correct field size and
|
|
|
9a3fa7 |
explicitly overwriting 'revision' field.
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
|
|
9a3fa7 |
Signed-off-by: Florian Westphal <fw@strlen.de>
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
9a3fa7 |
---
|
|
|
9a3fa7 |
libiptc/libiptc.c | 6 ++++--
|
|
|
9a3fa7 |
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
|
|
|
9a3fa7 |
index d2427c16a5254..4c0fbd5d7e68c 100644
|
|
|
9a3fa7 |
--- a/libiptc/libiptc.c
|
|
|
9a3fa7 |
+++ b/libiptc/libiptc.c
|
|
|
9a3fa7 |
@@ -1115,8 +1115,9 @@ static inline int iptcc_compile_rule (struct xtc_handle *h, STRUCT_REPLACE *repl
|
|
|
9a3fa7 |
STRUCT_STANDARD_TARGET *t;
|
|
|
9a3fa7 |
t = (STRUCT_STANDARD_TARGET *)GET_TARGET(r->entry);
|
|
|
9a3fa7 |
/* memset for memcmp convenience on delete/replace */
|
|
|
9a3fa7 |
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
|
|
|
9a3fa7 |
+ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN);
|
|
|
9a3fa7 |
strcpy(t->target.u.user.name, STANDARD_TARGET);
|
|
|
9a3fa7 |
+ t->target.u.user.revision = 0;
|
|
|
9a3fa7 |
/* Jumps can only happen to builtin chains, so we
|
|
|
9a3fa7 |
* can safely assume that they always have a header */
|
|
|
9a3fa7 |
t->verdict = r->jump->head_offset + IPTCB_CHAIN_START_SIZE;
|
|
|
9a3fa7 |
@@ -1676,8 +1677,9 @@ iptcc_standard_map(struct rule_head *r, int verdict)
|
|
|
9a3fa7 |
return 0;
|
|
|
9a3fa7 |
}
|
|
|
9a3fa7 |
/* memset for memcmp convenience on delete/replace */
|
|
|
9a3fa7 |
- memset(t->target.u.user.name, 0, FUNCTION_MAXNAMELEN);
|
|
|
9a3fa7 |
+ memset(t->target.u.user.name, 0, XT_EXTENSION_MAXNAMELEN);
|
|
|
9a3fa7 |
strcpy(t->target.u.user.name, STANDARD_TARGET);
|
|
|
9a3fa7 |
+ t->target.u.user.revision = 0;
|
|
|
9a3fa7 |
t->verdict = verdict;
|
|
|
9a3fa7 |
|
|
|
9a3fa7 |
r->type = IPTCC_R_STANDARD;
|
|
|
9a3fa7 |
--
|
|
|
9a3fa7 |
2.21.0
|
|
|
9a3fa7 |
|