From c0e69db337540b22a3b3f739b1143341e7b759b7 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Sat, 9 Jul 2011 16:01:18 +0200
Subject: libxtables: properly reject empty hostnames

An empty hostname in the address list of an -s/-d argument, which may
be the result of a typo, is interpreted as 0/0, which, when combined
with -j ACCEPT, leads to an undesired opening of the firewall.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/xtables.c | 46 ++++++++++++++++++++--------------------------
 1 file changed, 20 insertions(+), 26 deletions(-)

(limited to 'iptables/xtables.c')

diff --git a/iptables/xtables.c b/iptables/xtables.c
index c4b1c2a8..3b173959 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1299,7 +1299,7 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
                               struct in_addr **maskpp, unsigned int *naddrs)
 {
 	struct in_addr *addrp;
-	char buf[256], *p;
+	char buf[256], *p, *next;
 	unsigned int len, i, j, n, count = 1;
 	const char *loop = name;
 
@@ -1314,23 +1314,17 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
 	loop = name;
 
 	for (i = 0; i < count; ++i) {
-		if (loop == NULL)
-			break;
-		if (*loop == ',')
-			++loop;
-		if (*loop == '\0')
-			break;
-		p = strchr(loop, ',');
-		if (p != NULL)
-			len = p - loop;
+		next = strchr(loop, ',');
+		if (next != NULL)
+			len = next - loop;
 		else
 			len = strlen(loop);
-		if (len == 0 || sizeof(buf) - 1 < len)
-			break;
+		if (len > sizeof(buf) - 1)
+			xt_params->exit_err(PARAMETER_PROBLEM,
+				"Hostname too long");
 
 		strncpy(buf, loop, len);
 		buf[len] = '\0';
-		loop += len;
 		if ((p = strrchr(buf, '/')) != NULL) {
 			*p = '\0';
 			addrp = parse_ipmask(p + 1);
@@ -1368,6 +1362,9 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
 		}
 		/* free what ipparse_hostnetwork had allocated: */
 		free(addrp);
+		if (next == NULL)
+			break;
+		loop = next + 1;
 	}
 	*naddrs = count;
 	for (i = 0; i < count; ++i)
@@ -1616,7 +1613,7 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 {
 	static const struct in6_addr zero_addr;
 	struct in6_addr *addrp;
-	char buf[256], *p;
+	char buf[256], *p, *next;
 	unsigned int len, i, j, n, count = 1;
 	const char *loop = name;
 
@@ -1631,23 +1628,17 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 	loop = name;
 
 	for (i = 0; i < count /*NB: count can grow*/; ++i) {
-		if (loop == NULL)
-			break;
-		if (*loop == ',')
-			++loop;
-		if (*loop == '\0')
-			break;
-		p = strchr(loop, ',');
-		if (p != NULL)
-			len = p - loop;
+		next = strchr(loop, ',');
+		if (next != NULL)
+			len = next - loop;
 		else
 			len = strlen(loop);
-		if (len == 0 || sizeof(buf) - 1 < len)
-			break;
+		if (len > sizeof(buf) - 1)
+			xt_params->exit_err(PARAMETER_PROBLEM,
+				"Hostname too long");
 
 		strncpy(buf, loop, len);
 		buf[len] = '\0';
-		loop += len;
 		if ((p = strrchr(buf, '/')) != NULL) {
 			*p = '\0';
 			addrp = parse_ip6mask(p + 1);
@@ -1681,6 +1672,9 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 		}
 		/* free what ip6parse_hostnetwork had allocated: */
 		free(addrp);
+		if (next == NULL)
+			break;
+		loop = next + 1;
 	}
 	*naddrs = count;
 	for (i = 0; i < count; ++i)
-- 
cgit v1.2.3


From 0c384449ae9511157cd9b34d73f8f4cb71123a45 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Sat, 9 Jul 2011 16:19:09 +0200
Subject: libxtables: ignore whitespace in the multiaddress argument parser

References: http://bugzilla.netfilter.org/show_bug.cgi?id=727
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/xtables.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'iptables/xtables.c')

diff --git a/iptables/xtables.c b/iptables/xtables.c
index 3b173959..0f025920 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1314,6 +1314,8 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
 	loop = name;
 
 	for (i = 0; i < count; ++i) {
+		while (isspace(*loop))
+			++loop;
 		next = strchr(loop, ',');
 		if (next != NULL)
 			len = next - loop;
@@ -1628,6 +1630,8 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 	loop = name;
 
 	for (i = 0; i < count /*NB: count can grow*/; ++i) {
+		while (isspace(*loop))
+			++loop;
 		next = strchr(loop, ',');
 		if (next != NULL)
 			len = next - loop;
-- 
cgit v1.2.3


From fbe9f1ecccb5ac02858fa7eee2979e0e4d97bb5f Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Sat, 9 Jul 2011 19:37:31 +0200
Subject: option: remove last traces of intrapositional negation

Intrapositional negation was deprecated in 1.4.3.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/xtables.c | 29 -----------------------------
 1 file changed, 29 deletions(-)

(limited to 'iptables/xtables.c')

diff --git a/iptables/xtables.c b/iptables/xtables.c
index 0f025920..b05df97b 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -1765,35 +1765,6 @@ void xtables_save_string(const char *value)
 	}
 }
 
-/**
- * Check for option-intrapositional negation.
- * Do not use in new code.
- */
-int xtables_check_inverse(const char option[], int *invert,
-			  int *my_optind, int argc, char **argv)
-{
-	if (option == NULL || strcmp(option, "!") != 0)
-		return false;
-
-	fprintf(stderr, "Using intrapositioned negation "
-	        "(`--option ! this`) is deprecated in favor of "
-	        "extrapositioned (`! --option this`).\n");
-
-	if (*invert)
-		xt_params->exit_err(PARAMETER_PROBLEM,
-			   "Multiple `!' flags not allowed");
-	*invert = true;
-	if (my_optind != NULL) {
-		optarg = argv[*my_optind];
-		++*my_optind;
-		if (argc && *my_optind > argc)
-			xt_params->exit_err(PARAMETER_PROBLEM,
-				   "no argument following `!'");
-	}
-
-	return true;
-}
-
 const struct xtables_pprot xtables_chain_protos[] = {
 	{"tcp",       IPPROTO_TCP},
 	{"sctp",      IPPROTO_SCTP},
-- 
cgit v1.2.3


From 3eab786d6a687187556c92b3dc0f0664d8352471 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Sun, 10 Jul 2011 11:47:46 +0200
Subject: libxtables: set clone's initial data to NULL

Avoid a crash in xs_init_match when a clone's m->udata points at the
parent.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 iptables/xtables.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'iptables/xtables.c')

diff --git a/iptables/xtables.c b/iptables/xtables.c
index b05df97b..1a5e568c 100644
--- a/iptables/xtables.c
+++ b/iptables/xtables.c
@@ -632,6 +632,7 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 			/* Second and subsequent clones */
 			clone = xtables_malloc(sizeof(struct xtables_match));
 			memcpy(clone, ptr, sizeof(struct xtables_match));
+			clone->udata = NULL;
 			clone->mflags = 0;
 			/* This is a clone: */
 			clone->next = clone;
-- 
cgit v1.2.3