From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 7 Mar 2016 14:32:02 +0000 (+0100)
Subject: connmark: Compare the complete rules when deleting them
X-Git-Tag: 5.4.0rc1~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d;p=thirdparty%2Fstrongswan.git

connmark: Compare the complete rules when deleting them

By settings a matchmask that covers the complete rule we ensure that the
correct rule is deleted (i.e. matches and targets with potentially different
marks are also compared).

Since data after the passed pointer is actually dereferenced when
comparing we definitely have to pass an array that is at least as long as
the ipt_entry.

Fixes #1229.
---

diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index cd53701e89..9dde7c1c57 100644
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -101,7 +101,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 	}
 	else
 	{
-		if (!iptc_delete_entry(chain, e, "", ipth))
+		u_char matchmask[e->next_offset];
+
+		memset(matchmask, 255, sizeof(matchmask));
+		if (!iptc_delete_entry(chain, e, matchmask, ipth))
 		{
 			DBG1(DBG_CFG, "deleting %s rule failed: %s",
 				 chain, iptc_strerror(errno));