Blame SOURCES/xtables-restore-Fix-table-parameter-check.patch

7d381e
From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001
7d381e
From: Phil Sutter <psutter@redhat.com>
7d381e
Date: Wed, 23 Oct 2019 12:06:55 +0200
7d381e
Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check
7d381e
7d381e
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700
7d381e
Upstream Status: iptables commit 3dc433b55bbfa
7d381e
Conflicts: Downstream does not support nft-variants.
7d381e
7d381e
commit 3dc433b55bbfaf9df3ee408aaa6282742f377864
7d381e
Author: Phil Sutter <phil@nwl.cc>
7d381e
Date:   Fri Sep 20 17:31:58 2019 +0200
7d381e
7d381e
    xtables-restore: Fix --table parameter check
7d381e
7d381e
    Xtables-restore tries to reject rule commands in input which contain a
7d381e
    --table parameter (since it is adding this itself based on the previous
7d381e
    table line). The manual check was not perfect though as it caught any
7d381e
    parameter starting with a dash and containing a 't' somewhere, even in
7d381e
    rule comments:
7d381e
7d381e
    | *filter
7d381e
    | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT
7d381e
    | COMMIT
7d381e
7d381e
    Instead of error-prone manual checking, go a much simpler route: All
7d381e
    do_command callbacks are passed a boolean indicating they're called from
7d381e
    *tables-restore. React upon this when handling a table parameter and
7d381e
    error out if it's not the first one.
7d381e
7d381e
    Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore")
7d381e
    Signed-off-by: Phil Sutter <phil@nwl.cc>
7d381e
    Acked-by: Florian Westphal <fw@strlen.de>
7d381e
7d381e
Signed-off-by: Phil Sutter <psutter@redhat.com>
7d381e
---
7d381e
 iptables/iptables.c |  4 ++++
7d381e
 iptables/xshared.c  | 12 ------------
7d381e
 2 files changed, 4 insertions(+), 12 deletions(-)
7d381e
7d381e
diff --git a/iptables/iptables.c b/iptables/iptables.c
7d381e
index dc70cc6e9b0ec..d106a18949407 100644
7d381e
--- a/iptables/iptables.c
7d381e
+++ b/iptables/iptables.c
7d381e
@@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table,
7d381e
 			if (cs.invert)
7d381e
 				xtables_error(PARAMETER_PROBLEM,
7d381e
 					   "unexpected ! flag before --table");
7d381e
+			if (restore && *table)
7d381e
+				xtables_error(PARAMETER_PROBLEM,
7d381e
+					      "The -t option (seen in line %u) cannot be used in %s.\n",
7d381e
+					      line, xt_params->program_name);
7d381e
 			*table = optarg;
7d381e
 			break;
7d381e
 
7d381e
diff --git a/iptables/xshared.c b/iptables/xshared.c
7d381e
index 84dbea562576e..058b5e8b63896 100644
7d381e
--- a/iptables/xshared.c
7d381e
+++ b/iptables/xshared.c
7d381e
@@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line)
7d381e
 		}
7d381e
 
7d381e
 		param_buffer[param_len] = '\0';
7d381e
-
7d381e
-		/* check if table name specified */
7d381e
-		if ((param_buffer[0] == '-' &&
7d381e
-		     param_buffer[1] != '-' &&
7d381e
-		     strchr(param_buffer, 't')) ||
7d381e
-		    (!strncmp(param_buffer, "--t", 3) &&
7d381e
-		     !strncmp(param_buffer, "--table", strlen(param_buffer)))) {
7d381e
-			xtables_error(PARAMETER_PROBLEM,
7d381e
-				      "The -t option (seen in line %u) cannot be used in %s.\n",
7d381e
-				      line, xt_params->program_name);
7d381e
-		}
7d381e
-
7d381e
 		add_argv(param_buffer, 0);
7d381e
 		param_len = 0;
7d381e
 	}
7d381e
-- 
7d381e
2.23.0
7d381e