diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-08 12:13:57 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-12-30 23:50:52 +0100 |
commit | 6cd426bc7593ecf04a02c901d94e04093bdf69e4 (patch) | |
tree | 0ea7a510623f5debe46772178f545b75eae21bbc /iptables | |
parent | 5f6e384ac2a3d7b647a909654a3bdee1c0bcb3eb (diff) |
nft: fix bad length when comparing extension data area
Use ->userspacesize to compare the extension data area, otherwise
we also compare the internal private pointers which are only
meaningful to the kernelspace.
This fixes:
xtables -4 -D INPUT -m connlimit \
--connlimit-above 10 --connlimit-mask 32 --connlimit-daddr
But it also fixes many other matches/targets which use internal
private data.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'iptables')
-rw-r--r-- | iptables/nft-shared.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index ebcb9692..3987f74b 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -683,7 +683,7 @@ compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2) } if (memcmp(m1->data, m2->data, - m1->u.user.match_size - sizeof(*m1)) != 0) { + mp1->match->userspacesize) != 0) { DEBUGP("mismatch match data\n"); return false; } @@ -709,10 +709,8 @@ bool compare_targets(struct xtables_target *tg1, struct xtables_target *tg2) if (strcmp(tg1->t->u.user.name, tg2->t->u.user.name) != 0) return false; - if (memcmp(tg1->t->data, tg2->t->data, - tg1->t->u.user.target_size - sizeof(*tg1->t)) != 0) { + if (memcmp(tg1->t->data, tg2->t->data, tg1->userspacesize) != 0) return false; - } return true; } |