[iptables PATCH 1/2] libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Allocation of the temporary array did not account for a terminating NULL
entry, causing array boundary overstepping in the called
xtables_merge_options(), causing spurious errors in extension parameter
parsing.

Fixes: ed8c3ea4015f0 ("libxtables: Combine the two extension option mergers")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 libxtables/xtoptions.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index e27223e339cb2..433a686c2b595 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -93,12 +93,13 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
 	for (num_new = 0; entry[num_new].name != NULL; ++num_new)
 		;
 
-	mp = xtables_calloc(num_new, sizeof(*mp));
+	mp = xtables_calloc(num_new + 1, sizeof(*mp));
 	for (i = 0; i < num_new; i++) {
 		mp[i].name	= entry[i].name;
 		mp[i].has_arg	= entry[i].type != XTTYPE_NONE;
 		mp[i].val	= entry[i].id;
 	}
+
 	merge = xtables_merge_options(orig_opts, oldopts, mp, offset);
 
 	free(mp);
-- 
2.41.0





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux