From a76a5c997a235f822d49799c25fce8e311d473c7 Mon Sep 17 00:00:00 2001 From: Ronald Wahl Date: Fri, 5 Sep 2014 00:54:48 +0200 Subject: libxtables: fix two off-by-one memory corruption bugs The LSB of xtables_pending_matches was overwritten with zero that lead to segmentation fault. But simply adding an additional variable in the code or changing compilation options modified the behaviour so that no segmentation fault happens so it is rather subtle. (1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); In case of bits % 8 == 0 we write the byte behind *p (2) p[bits/8] = 0xff << (8 - (bits & 7)); In case of bits == 128 we write the byte behind *p Closes bug 943. Signed-off-by: Florian Westphal --- libxtables/xtables.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'libxtables') diff --git a/libxtables/xtables.c b/libxtables/xtables.c index 1ab86d5a..46f5e352 100644 --- a/libxtables/xtables.c +++ b/libxtables/xtables.c @@ -1702,8 +1702,9 @@ static struct in6_addr *parse_ip6mask(char *mask) if (bits != 0) { char *p = (void *)&maskaddr; memset(p, 0xff, bits / 8); - memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); - p[bits/8] = 0xff << (8 - (bits & 7)); + memset(p + ((bits + 7) / 8), 0, (128 - bits) / 8); + if (bits < 128) + p[bits/8] = 0xff << (8 - (bits & 7)); return &maskaddr; } -- cgit v1.2.3