diff options
| author | Phil Sutter <phil@nwl.cc> | 2023-11-28 20:11:57 +0100 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-11-29 02:33:06 +0100 |
| commit | 584569727dc0fc52f401db628059807030138a99 (patch) | |
| tree | e2498462c3ae28c6218ee0fafdbe9943ac1f43df | |
| parent | d8c64911cfd602f57354f36e5ca79bbedd62aa7a (diff) | |
libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()
Allocation of the temporary array did not account for a terminating NULL
entry, causing array boundary overstepping in the called
xtables_merge_options(), causing spurious errors in extension parameter
parsing.
Fixes: ed8c3ea4015f0 ("libxtables: Combine the two extension option mergers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
| -rw-r--r-- | libxtables/xtoptions.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c index 4fd0e70e..64d740e3 100644 --- a/libxtables/xtoptions.c +++ b/libxtables/xtoptions.c @@ -92,12 +92,13 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts, for (num_new = 0; entry[num_new].name != NULL; ++num_new) ; - mp = xtables_calloc(num_new, sizeof(*mp)); + mp = xtables_calloc(num_new + 1, sizeof(*mp)); for (i = 0; i < num_new; i++) { mp[i].name = entry[i].name; mp[i].has_arg = entry[i].type != XTTYPE_NONE; mp[i].val = entry[i].id; } + merge = xtables_merge_options(orig_opts, oldopts, mp, offset); free(mp); |