diff options
author | Jo-Philipp Wich <jo@mein.io> | 2018-03-02 11:36:39 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2018-03-02 11:36:39 +0100 |
commit | 8ef12cb54dbd37466ab10586591eb84338475c2a (patch) | |
tree | f91e081fd85cc7b0824c8077697c271e3944fe1f | |
parent | a3ef503ed515752f7d1809c8c3238c0e4c7ce150 (diff) | |
download | firewall3-8ef12cb54dbd37466ab10586591eb84338475c2a.tar.gz |
iptables: fix possible NULL pointer access on constructing rule masks
Due to a misplaced parenthesis, rule_mask() may try to access
r->target->userspacesize through a r->target NULL pointer.
Fix this problem by correcting the parenthesis placement in the memset
expression, using the originally intented operator precedence.
Spotted in the cz.nic fork of firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
-rw-r--r-- | iptables.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -1423,7 +1423,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ip6t_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0); + memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target ? r->target->userspacesize : 0)); } else #endif @@ -1447,7 +1447,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ipt_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0); + memset(p, 0xFF, SZ(ipt_entry_target) + (r->target ? r->target->userspacesize : 0)); } return mask; |