Upon identifying an extension option, ebt_command_default() would have
the extension parse the option prior to creating a copy for attaching to
the iptables_command_state object. After copying, the (modified)
initial extension's data was cleared.
This somewhat awkward process breaks with among match which increases
match_size if needed (but never reduces it). This change is not undone,
hence leaks into following instances. This in turn is problematic with
ebtables-restore only (as multiple rules are parsed) and specifically
when deleting rules as the potentially over-sized match_size won't match
the one parsed from the kernel.
A workaround would be to make bramong_parse() realloc the match also if
new size is smaller than the old one. This patch attempts a proper fix
though, by making ebt_command_default() copy the extension first and
parsing the option into the copy afterwards.
No Fixes tag: Prior to commit 24bb57d3f52ac ("ebtables: Support for
guided option parser"), ebtables relied upon the extension's parser
return code instead of checking option_offset, so copying the extension
opportunistically wasn't feasible.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
iptables/nft-bridge.h | 8 ++++----
iptables/xtables-eb.c | 16 ++++++++++------
2 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index 13b077fc4fbf3..54b473ebff6b0 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -108,10 +108,10 @@ static inline const char *ebt_target_name(unsigned int verdict)
}) \
void ebt_cs_clean(struct iptables_command_state *cs);
-void ebt_add_match(struct xtables_match *m,
- struct iptables_command_state *cs);
-void ebt_add_watcher(struct xtables_target *watcher,
- struct iptables_command_state *cs);
+struct xtables_match *ebt_add_match(struct xtables_match *m,
+ struct iptables_command_state *cs);
+struct xtables_target *ebt_add_watcher(struct xtables_target *watcher,
+ struct iptables_command_state *cs);
int ebt_command_default(struct iptables_command_state *cs,
struct xtables_globals *unused, bool ebt_invert);
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 658cf4b98c04d..06386cd90830c 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -367,8 +367,8 @@ static void ebt_load_match_extensions(void)
ebt_load_watcher("nflog");
}
-void ebt_add_match(struct xtables_match *m,
- struct iptables_command_state *cs)
+struct xtables_match *ebt_add_match(struct xtables_match *m,
+ struct iptables_command_state *cs)
{
struct xtables_rule_match **rule_matches = &cs->matches;
struct xtables_match *newm;
@@ -397,10 +397,12 @@ void ebt_add_match(struct xtables_match *m,
for (matchp = &cs->match_list; *matchp; matchp = &(*matchp)->next)
;
*matchp = newnode;
+
+ return newm;
}
-void ebt_add_watcher(struct xtables_target *watcher,
- struct iptables_command_state *cs)
+struct xtables_target *ebt_add_watcher(struct xtables_target *watcher,
+ struct iptables_command_state *cs)
{
struct ebt_match *newnode, **matchp;
struct xtables_target *clone;
@@ -425,6 +427,8 @@ void ebt_add_watcher(struct xtables_target *watcher,
for (matchp = &cs->match_list; *matchp; matchp = &(*matchp)->next)
;
*matchp = newnode;
+
+ return clone;
}
int ebt_command_default(struct iptables_command_state *cs,
@@ -476,8 +480,8 @@ int ebt_command_default(struct iptables_command_state *cs,
if (cs->c < m->option_offset ||
cs->c >= m->option_offset + XT_OPTION_OFFSET_SCALE)
continue;
+ m = ebt_add_match(m, cs);
xtables_option_mpcall(cs->c, cs->argv, ebt_invert, m, &cs->eb);
- ebt_add_match(m, cs);
return 0;
}
@@ -491,8 +495,8 @@ int ebt_command_default(struct iptables_command_state *cs,
if (cs->c < t->option_offset ||
cs->c >= t->option_offset + XT_OPTION_OFFSET_SCALE)
continue;
+ t = ebt_add_watcher(t, cs);
xtables_option_tpcall(cs->c, cs->argv, ebt_invert, t, &cs->eb);
- ebt_add_watcher(t, cs);
return 0;
}
if (cs->c == ':')
--
2.47.0
