From 8ef12cb54dbd37466ab10586591eb84338475c2a Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 2 Mar 2018 11:36:39 +0100 Subject: [PATCH] iptables: fix possible NULL pointer access on constructing rule masks Due to a misplaced parenthesis, rule_mask() may try to access r->target->userspacesize through a r->target NULL pointer. Fix this problem by correcting the parenthesis placement in the memset expression, using the originally intented operator precedence. Spotted in the cz.nic fork of firewall3. Signed-off-by: Jo-Philipp Wich --- iptables.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iptables.c b/iptables.c index a48a8b6..f8d4d46 100644 --- a/iptables.c +++ b/iptables.c @@ -1423,7 +1423,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ip6t_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0); + memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target ? r->target->userspacesize : 0)); } else #endif @@ -1447,7 +1447,7 @@ rule_mask(struct fw3_ipt_rule *r) p += SZ(ipt_entry_match) + m->match->size; } - memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0); + memset(p, 0xFF, SZ(ipt_entry_target) + (r->target ? r->target->userspacesize : 0)); } return mask; -- 2.25.1