summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org>2005-07-29 13:26:35 +0000
committer/C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=laforge/emailAddress=laforge@netfilter.org>2005-07-29 13:26:35 +0000
commit5901a7d1512b8809da7b1c326d75d86d7c82984f (patch)
tree3f06da4c25e24f5d3c9bdb1f83376edfbed13199
parent94037a96eba106cafad31ca1b2a9250b1b3eaba5 (diff)
The call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global, which may be freed by the call to free_opts(), but oldopts is used after the free_opts() call. This patch makes sure we don't use freed memory. (Marcus Sundberg <marcus@ingate.com>) ip6tables merge by myself.
-rw-r--r--ip6tables.c4
-rw-r--r--iptables.c4
2 files changed, 2 insertions, 6 deletions
diff --git a/ip6tables.c b/ip6tables.c
index 49dcbf0..3b32606 100644
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1029,9 +1029,6 @@ merge_options(struct option *oldopts, const struct option *newopts,
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1040,6 +1037,7 @@ merge_options(struct option *oldopts, const struct option *newopts,
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;
diff --git a/iptables.c b/iptables.c
index 0bb2b03..7e8ba59 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1029,9 +1029,6 @@ merge_options(struct option *oldopts, const struct option *newopts,
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1040,6 +1037,7 @@ merge_options(struct option *oldopts, const struct option *newopts,
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;