From: Hans Dedecker Date: Wed, 25 Feb 2015 15:00:56 +0000 (+0100) Subject: firewall3: fix null pointer access when no target is present X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=165029cb8c0f1545628f44143aec965e64cef021;p=oweals%2Ffirewall3.git firewall3: fix null pointer access when no target is present Signed-off-by: Hans Dedecker --- diff --git a/iptables.c b/iptables.c index 03987af..ca84761 100644 --- a/iptables.c +++ b/iptables.c @@ -1199,7 +1199,9 @@ rule_mask(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += SZ(ip6t_entry_match) + m->match->size; - s += SZ(ip6t_entry_target) + r->target->size; + s += SZ(ip6t_entry_target); + if (r->target) + s += r->target->size; mask = fw3_alloc(s); memset(mask, 0xFF, SZ(ip6t_entry)); @@ -1211,7 +1213,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ip6t_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ip6t_entry_target) + r->target->userspacesize); + memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0); } else #endif @@ -1221,7 +1223,9 @@ rule_mask(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += SZ(ipt_entry_match) + m->match->size; - s += SZ(ipt_entry_target) + r->target->size; + s += SZ(ipt_entry_target); + if (r->target) + s += r->target->size; mask = fw3_alloc(s); memset(mask, 0xFF, SZ(ipt_entry)); @@ -1233,7 +1237,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ipt_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ipt_entry_target) + r->target->userspacesize); + memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0); } return mask; @@ -1242,7 +1246,7 @@ rule_mask(struct fw3_ipt_rule *r) static void * rule_build(struct fw3_ipt_rule *r) { - size_t s; + size_t s, target_size = (r->target) ? r->target->t->u.target_size : 0; struct xtables_rule_match *m; #ifndef DISABLE_IPV6 @@ -1255,12 +1259,12 @@ rule_build(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += m->match->m->u.match_size; - e6 = fw3_alloc(s + r->target->t->u.target_size); + e6 = fw3_alloc(s + target_size); memcpy(e6, &r->e6, sizeof(struct ip6t_entry)); e6->target_offset = s; - e6->next_offset = s + r->target->t->u.target_size; + e6->next_offset = s + target_size; s = 0; @@ -1270,7 +1274,8 @@ rule_build(struct fw3_ipt_rule *r) s += m->match->m->u.match_size; } - memcpy(e6->elems + s, r->target->t, r->target->t->u.target_size); + if (target_size) + memcpy(e6->elems + s, r->target->t, target_size); return e6; } @@ -1284,12 +1289,12 @@ rule_build(struct fw3_ipt_rule *r) for (m = r->matches; m; m = m->next) s += m->match->m->u.match_size; - e = fw3_alloc(s + r->target->t->u.target_size); + e = fw3_alloc(s + target_size); memcpy(e, &r->e, sizeof(struct ipt_entry)); e->target_offset = s; - e->next_offset = s + r->target->t->u.target_size; + e->next_offset = s + target_size; s = 0; @@ -1299,7 +1304,8 @@ rule_build(struct fw3_ipt_rule *r) s += m->match->m->u.match_size; } - memcpy(e->elems + s, r->target->t, r->target->t->u.target_size); + if (target_size) + memcpy(e->elems + s, r->target->t, target_size); return e; }