From: Ronald Wahl <ronald.wahl@raritan.com>
Date: Thu, 4 Sep 2014 22:54:48 +0000 (+0200)
Subject: libxtables: fix two off-by-one memory corruption bugs
X-Git-Tag: v1.6.0~84
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a76a5c997a235f822d49799c25fce8e311d473c7;p=thirdparty%2Fiptables.git

libxtables: fix two off-by-one memory corruption bugs

The LSB of xtables_pending_matches was overwritten with zero
that lead to segmentation fault. But simply adding an additional variable
in the code or changing compilation options modified the behaviour so that no
segmentation fault happens so it is rather subtle.

(1) memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
In case of bits % 8 == 0 we write the byte behind *p

(2) p[bits/8] = 0xff << (8 - (bits & 7));
In case of bits == 128 we write the byte behind *p

Closes bug 943.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/libxtables/xtables.c b/libxtables/xtables.c
index 1ab86d5a..46f5e352 100644
--- a/libxtables/xtables.c
+++ b/libxtables/xtables.c
@@ -1702,8 +1702,9 @@ static struct in6_addr *parse_ip6mask(char *mask)
 	if (bits != 0) {
 		char *p = (void *)&maskaddr;
 		memset(p, 0xff, bits / 8);
-		memset(p + (bits / 8) + 1, 0, (128 - bits) / 8);
-		p[bits/8] = 0xff << (8 - (bits & 7));
+		memset(p + ((bits + 7) / 8), 0, (128 - bits) / 8);
+		if (bits < 128)
+			p[bits/8] = 0xff << (8 - (bits & 7));
 		return &maskaddr;
 	}