summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMarcus Sundberg <marcus@ingate.com>2005-07-29 13:26:35 +0000
committerHarald Welte <laforge@gnumonks.org>2005-07-29 13:26:35 +0000
commitd91ed751b3933506ba5ab985ca02db430cd3592c (patch)
tree3f06da4c25e24f5d3c9bdb1f83376edfbed13199
parent7bdfca450990ca68ccfc4c54acb14d3ea0fa8582 (diff)
The call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global, which may be freed by the call to free_opts(), but oldopts is used after the free_opts() call. This patch makes sure we don't use freed memory. (Marcus Sundberg <marcus@ingate.com>) ip6tables merge by myself.
-rw-r--r--ip6tables.c4
-rw-r--r--iptables.c4
2 files changed, 2 insertions, 6 deletions
diff --git a/ip6tables.c b/ip6tables.c
index 49dcbf07..3b32606c 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1029,9 +1029,6 @@ merge_options(struct option *oldopts, const struct option *newopts,
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1040,6 +1037,7 @@ merge_options(struct option *oldopts, const struct option *newopts,
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;
diff --git a/iptables.c b/iptables.c
index 0bb2b037..7e8ba59e 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1029,9 +1029,6 @@ merge_options(struct option *oldopts, const struct option *newopts,
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1040,6 +1037,7 @@ merge_options(struct option *oldopts, const struct option *newopts,
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;