rpms/iptables
7
0
Fork 0
Code Issues Pull Requests Releases Activity
c8
iptables/SOURCES/0084-extensions-among-Fix-for-use-with-ebtables-restore.patch
eabdullin ba6667b140 import UBI iptables-1.8.5-10.el8_9
2023-11-14 19:59:13 +00:00

58 lines
2.1 KiB
Diff
Raw Permalink Blame History

From 6a7b38bdb0253cfac68893ff7704f1f9cbfe891a Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Fri, 30 Sep 2022 17:51:55 +0200
Subject: [PATCH] extensions: among: Fix for use with ebtables-restore
When restoring multiple rules which use among match, new size may be
smaller than the old one which caused invalid writes by the memcpy()
call. Expect this and realloc the match only if it needs to grow. Also
use realloc instead of freeing and allocating from scratch.
Fixes: 26753888720d8 ("nft: bridge: Rudimental among extension support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit fca04aa7a53252464c289997e71de10189971da6)
---
extensions/libebt_among.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
index c607a775539d3..1eab201984408 100644
--- a/extensions/libebt_among.c
+++ b/extensions/libebt_among.c
@@ -119,7 +119,6 @@ static int bramong_parse(int c, char **argv, int invert,
struct xt_entry_match **match)
{
struct nft_among_data *data = (struct nft_among_data *)(*match)->data;
- struct xt_entry_match *new_match;
bool have_ip, dst = false;
size_t new_size, cnt;
struct stat stats;
@@ -170,18 +169,17 @@ static int bramong_parse(int c, char **argv, int invert,
new_size *= sizeof(struct nft_among_pair);
new_size += XT_ALIGN(sizeof(struct xt_entry_match)) +
sizeof(struct nft_among_data);
- new_match = xtables_calloc(1, new_size);
- memcpy(new_match, *match, (*match)->u.match_size);
- new_match->u.match_size = new_size;
- data = (struct nft_among_data *)new_match->data;
+ if (new_size > (*match)->u.match_size) {
+ *match = xtables_realloc(*match, new_size);
+ (*match)->u.match_size = new_size;
+ data = (struct nft_among_data *)(*match)->data;
+ }
+
have_ip = nft_among_pairs_have_ip(optarg);
poff = nft_among_prepare_data(data, dst, cnt, invert, have_ip);
parse_nft_among_pairs(data->pairs + poff, optarg, cnt, have_ip);
- free(*match);
- *match = new_match;
-
if (c == AMONG_DST_F || c == AMONG_SRC_F) {
munmap(argv, flen);
close(fd);
--
2.40.0
Reference in New Issue View Git Blame Copy Permalink