From f8486dc1c5f4522fc17bb118723783784519cce7 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@fedoraproject.org>
Date: Thu, 11 Nov 2004 11:55:39 +0000
Subject: [PATCH] [tw] - fixed autoload problem in iptables and ip6tables
 (CAN-2004-0986)

---
 iptables-1.2.11-autoload.patch | 48 ++++++++++++++++++++++++++++++++++
 iptables.spec                  |  7 ++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 iptables-1.2.11-autoload.patch

diff --git a/iptables-1.2.11-autoload.patch b/iptables-1.2.11-autoload.patch
new file mode 100644
index 0000000..2bdefef
--- /dev/null
+++ b/iptables-1.2.11-autoload.patch
@@ -0,0 +1,48 @@
+--- iptables-1.2.11/ip6tables.c.autoload	2004-11-11 12:03:35.221306429 +0100
++++ iptables-1.2.11/ip6tables.c	2004-11-11 12:04:43.382900379 +0100
+@@ -1595,15 +1595,18 @@
+ 	int procfile;
+ 	char *ret;
+ 
++#define PROCFILE_BUFSIZ 1024
++
+ 	procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
+ 	if (procfile < 0)
+ 		return NULL;
+ 
+-	ret = malloc(1024);
++	ret = malloc(PROCFILE_BUFSIZ);
+ 	if (ret) {
+-		switch (read(procfile, ret, 1024)) {
++		memset(ret, 0, PROCFILE_BUFSIZ);
++		switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
+ 		case -1: goto fail;
+-		case 1024: goto fail; /* Partial read.  Wierd */
++		case PROCFILE_BUFSIZ: goto fail; /* Partial read.  Wierd */
+ 		}
+ 		if (ret[strlen(ret)-1]=='\n') 
+ 			ret[strlen(ret)-1]=0;
+--- iptables-1.2.11/iptables.c.autoload	2004-11-11 12:01:35.601815606 +0100
++++ iptables-1.2.11/iptables.c	2004-11-11 12:02:50.496478760 +0100
+@@ -1593,15 +1593,18 @@
+ 	int procfile;
+ 	char *ret;
+ 
++#define PROCFILE_BUFSIZ 1024
++
+ 	procfile = open(PROC_SYS_MODPROBE, O_RDONLY);
+ 	if (procfile < 0)
+ 		return NULL;
+ 
+-	ret = malloc(1024);
++	ret = malloc(PROCFILE_BUFSIZ);
+ 	if (ret) {
+-		switch (read(procfile, ret, 1024)) {
++		memset(ret, 0, PROCFILE_BUFSIZ);
++		switch (read(procfile, ret, PROCFILE_BUFSIZ)) {
+ 		case -1: goto fail;
+-		case 1024: goto fail; /* Partial read.  Wierd */
++		case PROCFILE_BUFSIZ: goto fail; /* Partial read.  Wierd */
+ 		}
+ 		if (ret[strlen(ret)-1]=='\n') 
+ 			ret[strlen(ret)-1]=0;
diff --git a/iptables.spec b/iptables.spec
index 27bf4cf..9751bb7 100644
--- a/iptables.spec
+++ b/iptables.spec
@@ -4,7 +4,7 @@
 Name: iptables
 Summary: Tools for managing Linux kernel packet filtering capabilities.
 Version: 1.2.11
-Release: 3.1
+Release: 3.2
 Source: http://www.netfilter.org/%{name}-%{version}.tar.bz2
 Source1: iptables.init
 Source2: iptables-config
@@ -17,6 +17,7 @@ Patch5: iptables-1.2.9-selinux.patch
 Patch6: iptables-1.2.10-counters.patch
 Patch7: iptables-1.2.11-free.patch
 Patch8: iptables-1.2.11-cleanup.patch
+Patch9: iptables-1.2.11-autoload.patch
 Group: System Environment/Base
 URL: http://www.netfilter.org/
 BuildRoot: %{_tmppath}/%{name}-buildroot
@@ -74,6 +75,7 @@ cd ..
 %patch6 -p1 -b .counters
 %patch7 -p1 -b .free
 %patch8 -p1 -b .cleanup
+%patch9 -p1 -b .autoload
 
 # Put it to a reasonable place
 find . -type f -exec perl -pi -e "s,/usr/local,%{prefix},g" {} \;
@@ -148,6 +150,9 @@ fi
 %endif
 
 %changelog
+* Thu Nov 11 2004 Thomas Woerner <twoerner@redhat.com> 1.2.11-3.2
+- fixed autoload problem in iptables and ip6tables (CAN-2004-0986)
+
 * Fri Sep 17 2004 Thomas Woerner <twoerner@redhat.com> 1.2.11-3.1
 - changed default behaviour for IPTABLES_STATUS_NUMERIC to "yes" (#129731)
 - modified config file to match this change and un-commented variables with