[PATCH 07/13] ip[6]tables: only call match's parse function when option char is in range

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Normally, extensions use a "default:" case in switch(c) to just return
if they do not handle c. Apparently, libip6t_hl does that too late and
checks for hl-specific parsing state before it has established that c
refers to one of its own options.

Also affected: libipt_ttl, libxt_ipvs, libxt_policy, libxt_statistic.

One way to fix this is to move the flags checks into case '2', '3',
'4'. Doing this replication feels bad, so as an alternative, let's
just free extensions from having to deal with other extension's
options passing thru.

References: http://marc.info/?l=netfilter-devel&m=129444759532377&w=2
Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxx>
---
 ip6tables.c |    3 +++
 iptables.c  |    3 +++
 xshared.h   |    4 ++++
 xtables.c   |    4 ++--
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/ip6tables.c b/ip6tables.c
index b8449f6..4ca4bfe 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1714,6 +1714,9 @@ int do_command6(int argc, char *argv[], char **table, struct ip6tc_handle **hand
 					if (matchp->completed ||
 					    matchp->match->parse == NULL)
 						continue;
+					if (c < matchp->match->option_offset ||
+					    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+						continue;
 					if (matchp->match->parse(c - matchp->match->option_offset,
 						     argv, invert,
 						     &matchp->match->mflags,
diff --git a/iptables.c b/iptables.c
index e0efbf1..bcacd49 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1746,6 +1746,9 @@ int do_command(int argc, char *argv[], char **table, struct iptc_handle **handle
 					if (matchp->completed ||
 					    matchp->match->parse == NULL)
 						continue;
+					if (c < matchp->match->option_offset ||
+					    c >= matchp->match->option_offset + XT_OPTION_OFFSET_SCALE)
+						continue;
 					if (matchp->match->parse(c - matchp->match->option_offset,
 						     argv, invert,
 						     &matchp->match->mflags,
diff --git a/xshared.h b/xshared.h
index c53b618..e5b2a02 100644
--- a/xshared.h
+++ b/xshared.h
@@ -4,6 +4,10 @@
 struct xtables_rule_match;
 struct xtables_target;
 
+enum {
+	XT_OPTION_OFFSET_SCALE = 256,
+};
+
 extern void print_extension_helps(const struct xtables_target *,
 	const struct xtables_rule_match *);
 
diff --git a/xtables.c b/xtables.c
index b630901..5b7526c 100644
--- a/xtables.c
+++ b/xtables.c
@@ -49,7 +49,7 @@
 #	define IP6T_SO_GET_REVISION_TARGET	69
 #endif
 #include <getopt.h>
-
+#include "xshared.h"
 
 #define NPROTO	255
 
@@ -111,7 +111,7 @@ struct option *xtables_merge_options(struct option *orig_opts,
 	mp = merge + num_oold;
 
 	/* Second, the new options */
-	xt_params->option_offset += 256;
+	xt_params->option_offset += XT_OPTION_OFFSET_SCALE;
 	*option_offset = xt_params->option_offset;
 	memcpy(mp, newopts, sizeof(*mp) * num_new);
 
-- 
1.7.1

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux