xtables-restore: Fix parser feed from line buffer

When called with --noflush, xtables-restore would trip over chain lines:
Parser uses strtok() to separate chain name, policy and counters which
inserts nul-chars into the source string. Therefore strlen() can't be
used anymore to find end of line. Fix this by caching line length before
calling xtables_restore_parse_line().

Fixes: 09cb517949e69 ("xtables-restore: Improve performance of --noflush operation")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0 b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
new file mode 100755 (executable)
index 0000000..739e684
--- /dev/null
+++ b/iptables/tests/shell/testcases/ipt-restore/0010-noflush-new-chain_0
@@ -0,0 +1,10 @@
+#!/bin/sh -e
+
+# assert input feed from buffer doesn't trip over
+# added nul-chars from parsing chain line.
+
+$XT_MULTI iptables-restore --noflush <<EOF
+*filter
+:foobar - [0:0]
+-A foobar -j ACCEPT
+COMMIT

diff --git a/iptables/xtables-restore.c b/iptables/xtables-restore.c
index 2f0fe7d439d940dbd61045cf475bf0e314812bbc..dd907e0b8ddd55c7d8df677e887a9e010c6a5984 100644 (file)
--- a/iptables/xtables-restore.c
+++ b/iptables/xtables-restore.c
@@ -327,10 +327,12 @@ void xtables_restore_parse(struct nft_handle *h,
        line = 0;
        ptr = preload_buffer;
        while (*ptr) {
+               size_t len = strlen(ptr);
+
                h->error.lineno = ++line;
                DEBUGP("%s: buffered line %d: '%s'\n", __func__, line, ptr);
                xtables_restore_parse_line(h, p, &state, ptr);
-               ptr += strlen(ptr) + 1;
+               ptr += len + 1;
        }
        if (*buffer) {
                h->error.lineno = ++line;