The call to free_opts() in merge_options() is invalid C. The oldopts

argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory.  (Marcus Sundberg <marcus@ingate.com>)

ip6tables merge by myself.

diff --git a/ip6tables.c b/ip6tables.c
index 49dcbf0705eb28d9f34765a1adc4743dc5d9b368..3b32606cdd14294a905917a1b5cce8ec13f3feef 100644 (file)
--- a/ip6tables.c
+++ b/ip6tables.c
@@ -1029,9 +1029,6 @@ merge_options(struct option *oldopts, const struct option *newopts,
        unsigned int num_old, num_new, i;
        struct option *merge;
 
-       /* Release previous options merged if any */
-       free_opts(0);
-
        for (num_old = 0; oldopts[num_old].name; num_old++);
        for (num_new = 0; newopts[num_new].name; num_new++);
 
@@ -1040,6 +1037,7 @@ merge_options(struct option *oldopts, const struct option *newopts,
 
        merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
        memcpy(merge, oldopts, num_old * sizeof(struct option));
+       free_opts(0); /* Release previous options merged if any */
        for (i = 0; i < num_new; i++) {
                merge[num_old + i] = newopts[i];
                merge[num_old + i].val += *option_offset;

diff --git a/iptables.c b/iptables.c
index 0bb2b0370357c17df664dda774dc28b541e6302e..7e8ba59ef61d1137e38f03bea0b67a225678c105 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -1029,9 +1029,6 @@ merge_options(struct option *oldopts, const struct option *newopts,
        unsigned int num_old, num_new, i;
        struct option *merge;
 
-       /* Release previous options merged if any */
-       free_opts(0);
-       
        for (num_old = 0; oldopts[num_old].name; num_old++);
        for (num_new = 0; newopts[num_new].name; num_new++);
 
@@ -1040,6 +1037,7 @@ merge_options(struct option *oldopts, const struct option *newopts,
 
        merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
        memcpy(merge, oldopts, num_old * sizeof(struct option));
+       free_opts(0); /* Release previous options merged if any */
        for (i = 0; i < num_new; i++) {
                merge[num_old + i] = newopts[i];
                merge[num_old + i].val += *option_offset;