From 3f4e13d60ddbb61bc3256221a98f5c5a954f6f5c Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Fri, 15 Mar 2019 17:51:28 +0100
Subject: [PATCH] libxtables: Avoid calling memcpy() with NULL source
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
Upstream Status: iptables commit ab639f236ff85
commit ab639f236ff85d2f447cc6601c7ff42cefdaf853
Author: Phil Sutter <phil@nwl.cc>
Date: Wed Sep 19 15:16:54 2018 +0200
libxtables: Avoid calling memcpy() with NULL source
Both affected functions check if 'oldopts' is NULL once but later seem
to ignore that possibility. To catch up on that, increment the pointer
only if it isn't NULL, also don't copy its content into the merged
options buffer in that case.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <psutter@redhat.com>
---
libxtables/xtables.c | 12 ++++++++----
libxtables/xtoptions.c | 12 ++++++++----
2 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 4a014e48a9f45..cf9a59d5ec095 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -119,8 +119,10 @@ struct option *xtables_merge_options(struct option *orig_opts,
* Since @oldopts also has @orig_opts already (and does so at the
* start), skip these entries.
*/
- oldopts += num_oold;
- num_old -= num_oold;
+ if (oldopts != NULL) {
+ oldopts += num_oold;
+ num_old -= num_oold;
+ }
merge = malloc(sizeof(*mp) * (num_oold + num_old + num_new + 1));
if (merge == NULL)
@@ -139,8 +141,10 @@ struct option *xtables_merge_options(struct option *orig_opts,
mp->val += *option_offset;
/* Third, the old options */
- memcpy(mp, oldopts, sizeof(*mp) * num_old);
- mp += num_old;
+ if (oldopts != NULL) {
+ memcpy(mp, oldopts, sizeof(*mp) * num_old);
+ mp += num_old;
+ }
xtables_free_opts(0);
/* Clear trailing entry */
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 1ad4cb57f5836..1d3fda73dedf7 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -91,8 +91,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
* Since @oldopts also has @orig_opts already (and does so at the
* start), skip these entries.
*/
- oldopts += num_orig;
- num_old -= num_orig;
+ if (oldopts != NULL) {
+ oldopts += num_orig;
+ num_old -= num_orig;
+ }
merge = malloc(sizeof(*mp) * (num_orig + num_old + num_new + 1));
if (merge == NULL)
@@ -114,8 +116,10 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
}
/* Third, the old options */
- memcpy(mp, oldopts, sizeof(*mp) * num_old);
- mp += num_old;
+ if (oldopts != NULL) {
+ memcpy(mp, oldopts, sizeof(*mp) * num_old);
+ mp += num_old;
+ }
xtables_free_opts(0);
/* Clear trailing entry */
--
2.21.0