libxtables: fix two off-by-one memory corruption bugs

The LSB of xtables_pending_matches was overwritten with zero
that lead to segmentation fault. But simply adding an additional variable
in the code or changing compilation options modified the behaviour so that no
segmentation fault happens so it is rather subtle.

(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p

(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p

Closes bug 943.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 1ab86d5af7cf5fe3347f92b73892a93b14e11cd6..46f5e35236e6b20c92e6f218235d2184b0e9c9d1 100644 (file)
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1702,8 +1702,9 @@ static struct in6_addr *parse_ip6mask(char *mask)
        if (bits != 0) {
                char *p = (void *)&maskaddr;
                memset(p, 0xff, bits / 8);
-               memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
-               p[bits/8] = 0xff << (8 - (bits & 7));
+               memset(p + ((bits + 7) / 8), 0, (128 - bits) / 8);
+               if (bits < 128)
+                       p[bits/8] = 0xff << (8 - (bits & 7));
                return &maskaddr;
        }