summaryrefslogtreecommitdiffstats
path: root/libxtables
diff options
context:
space:
mode:
authorRonald Wahl <ronald.wahl@raritan.com>2014-09-05 00:54:48 +0200
committerFlorian Westphal <fw@strlen.de>2014-09-05 01:23:56 +0200
commita76a5c997a235f822d49799c25fce8e311d473c7 (patch)
treee8ef188cba6959693eadbbe16105a6a6d9b91c75 /libxtables
parent1cc84d47766ad74be8609477d3496544848b75b1 (diff)
libxtables: fix two off-by-one memory corruption bugs
The LSB of xtables_pending_matches was overwritten with zero that lead to segmentation fault. But simply adding an additional variable in the code or changing compilation options modified the behaviour so that no segmentation fault happens so it is rather subtle. (1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); In case of bits % 8 == 0 we write the byte behind *p (2) p[bits/8] = 0xff << (8 - (bits & 7)); In case of bits == 128 we write the byte behind *p Closes bug 943. Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'libxtables')
-rw-r--r--libxtables/xtables.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 1ab86d5a..46f5e352 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1702,8 +1702,9 @@ static struct in6_addr *parse_ip6mask(char *mask)
if (bits != 0) {
char *p = (void *)&maskaddr;
memset(p, 0xff, bits / 8);
- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
- p[bits/8] = 0xff << (8 - (bits & 7));
+ memset(p + ((bits + 7) / 8), 0, (128 - bits) / 8);
+ if (bits < 128)
+ p[bits/8] = 0xff << (8 - (bits & 7));
return &maskaddr;
}