Projects
Eulaceura:Mainline
iptables
_service:obs_scm:backport-libiptc-Fix-for-anoth...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:obs_scm:backport-libiptc-Fix-for-another-segfault-due-to-chain-index-NULL-pointer.patch of Package iptables
From e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 Mon Sep 17 00:00:00 2001 From: Phil Sutter <phil@nwl.cc> Date: Thu, 12 Oct 2023 17:27:42 +0200 Subject: libiptc: Fix for another segfault due to chain index NULL pointer Chain rename code missed to adjust the num_chains value which is used to calculate the number of chain index buckets to allocate during an index rebuild. So with the right number of chains present, the last chain in a middle bucket being renamed (and ending up in another bucket) triggers an index rebuild based on false data. The resulting NULL pointer index bucket then causes a segfault upon reinsertion. Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1713 Fixes: 64ff47cde38e4 ("libiptc: fix chain rename bug in libiptc") Conflict:NA Reference:https://git.netfilter.org/iptables/commit/?id=e2d7ee9c49b582f399ad4ba2da2ee1b3e1f89620 --- .../shell/testcases/chain/0008rename-segfault2_0 | 32 ++++++++++++++++++++++ libiptc/libiptc.c | 4 +++ 2 files changed, 36 insertions(+) create mode 100755 iptables/tests/shell/testcases/chain/0008rename-segfault2_0 diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 new file mode 100755 index 00000000..bc473d25 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Another funny rename bug in libiptc: +# If there is a chain index bucket with only a single chain in it and it is not +# the last one and that chain is renamed, a chain index rebuild is triggered. +# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an +# extra index is allocated and remains NULL. The following insert of renamed +# chain then segfaults. + +( + echo "*filter" + # first bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-a-$i - [0:0]" + done + # second bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-b-$i - [0:0]" + done + # third bucket, just make sure it exists + echo ":chain-c-0 - [0:0]" + echo "COMMIT" +) | $XT_MULTI iptables-restore + +# rename all chains of the middle bucket +( + echo "*filter" + for ((i = 0; i < 40; i++)); do + echo "-E chain-b-$i chain-d-$i" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore --noflush diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index e4750633..9712a363 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, return 0; } + handle->num_chains--; + /* This only unlinks "c" from the list, thus no free(c) */ iptcc_chain_index_delete_chain(c, handle); /* Change the name of the chain */ strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1); + handle->num_chains++; + /* Insert sorted into to list again */ iptc_insert_chain(handle, c); -- cgit v1.2.3
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2