libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()

Allocation of the temporary array did not account for a terminating NULL
entry, causing array boundary overstepping in the called
xtables_merge_options(), causing spurious errors in extension parameter
parsing.

Fixes: ed8c3ea4015f0 ("libxtables: Combine the two extension option mergers")
Signed-off-by: Phil Sutter <phil@nwl.cc>

diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 4fd0e70e6b55588d5e7ae769b0028bf913cd9de1..64d740e334b745a4a74392522b4322c57368d4db 100644 (file)
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -92,12 +92,13 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
        for (num_new = 0; entry[num_new].name != NULL; ++num_new)
                ;
 
-       mp = xtables_calloc(num_new, sizeof(*mp));
+       mp = xtables_calloc(num_new + 1, sizeof(*mp));
        for (i = 0; i < num_new; i++) {
                mp[i].name      = entry[i].name;
                mp[i].has_arg   = entry[i].type != XTTYPE_NONE;
                mp[i].val       = entry[i].id;
        }
+
        merge = xtables_merge_options(orig_opts, oldopts, mp, offset);
 
        free(mp);