diff options
author | Maciej Żenczykowski <maze@google.com> | 2023-10-23 11:11:18 -0700 |
---|---|---|
committer | Maciej Żenczykowski <maze@google.com> | 2023-10-23 11:11:26 -0700 |
commit | 409e57db117575af8e21becab7b8218ba19efbc3 (patch) | |
tree | 45b4c93d87b3c713f64d4f1456de1e84b9ad0c6b | |
parent | d8513a9276f7b1e76139a8cfc25f84d6a86532ef (diff) | |
parent | 920ece2b392fb83bd26416e0e6f8f6a847aacbaa (diff) | |
download | iptables-409e57db117575af8e21becab7b8218ba19efbc3.tar.gz |
Merge branch 'master' of https://git.netfilter.org/iptables
* 'master' of https://git.netfilter.org/iptables:
extensions: string: Clarify description of --to
libiptc: Fix for another segfault due to chain index NULL pointer
Generated via:
git fetch git://git.netfilter.org/iptables master
git merge --log=999 FETCH_HEAD
Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I48d98fcfc9345d212db6313e8fcd8ceeca229d30
-rw-r--r-- | extensions/libxt_string.man | 8 | ||||
-rwxr-xr-x | iptables/tests/shell/testcases/chain/0008rename-segfault2_0 | 32 | ||||
-rw-r--r-- | libiptc/libiptc.c | 4 |
3 files changed, 42 insertions, 2 deletions
diff --git a/extensions/libxt_string.man b/extensions/libxt_string.man index 2a470ece..efdda492 100644 --- a/extensions/libxt_string.man +++ b/extensions/libxt_string.man @@ -7,9 +7,13 @@ Select the pattern matching strategy. (bm = Boyer-Moore, kmp = Knuth-Pratt-Morri Set the offset from which it starts looking for any matching. If not passed, default is 0. .TP \fB\-\-to\fP \fIoffset\fP -Set the offset up to which should be scanned. That is, byte \fIoffset\fP-1 -(counting from 0) is the last one that is scanned. +Set the offset up to which should be scanned. If the pattern does not start +within this offset, it is not considered a match. If not passed, default is the packet size. +A second function of this parameter is instructing the kernel how much data +from the packet should be provided. With non-linear skbuffs (e.g. due to +fragmentation), a pattern extending past this offset may not be found. Also see +the related note below about Boyer-Moore algorithm in these cases. .TP [\fB!\fP] \fB\-\-string\fP \fIpattern\fP Matches the given pattern. diff --git a/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 new file mode 100755 index 00000000..bc473d25 --- /dev/null +++ b/iptables/tests/shell/testcases/chain/0008rename-segfault2_0 @@ -0,0 +1,32 @@ +#!/bin/bash +# +# Another funny rename bug in libiptc: +# If there is a chain index bucket with only a single chain in it and it is not +# the last one and that chain is renamed, a chain index rebuild is triggered. +# Since TC_RENAME_CHAIN missed to temporarily decrement num_chains value, an +# extra index is allocated and remains NULL. The following insert of renamed +# chain then segfaults. + +( + echo "*filter" + # first bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-a-$i - [0:0]" + done + # second bucket + for ((i = 0; i < 40; i++)); do + echo ":chain-b-$i - [0:0]" + done + # third bucket, just make sure it exists + echo ":chain-c-0 - [0:0]" + echo "COMMIT" +) | $XT_MULTI iptables-restore + +# rename all chains of the middle bucket +( + echo "*filter" + for ((i = 0; i < 40; i++)); do + echo "-E chain-b-$i chain-d-$i" + done + echo "COMMIT" +) | $XT_MULTI iptables-restore --noflush diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index e4750633..9712a363 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -2384,12 +2384,16 @@ int TC_RENAME_CHAIN(const IPT_CHAINLABEL oldname, return 0; } + handle->num_chains--; + /* This only unlinks "c" from the list, thus no free(c) */ iptcc_chain_index_delete_chain(c, handle); /* Change the name of the chain */ strncpy(c->name, newname, sizeof(IPT_CHAINLABEL) - 1); + handle->num_chains++; + /* Insert sorted into to list again */ iptc_insert_chain(handle, c); |