From: Phil Sutter <phil@nwl.cc>
Date: Tue, 28 Nov 2023 19:11:57 +0000 (+0100)
Subject: libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()
X-Git-Tag: v1.8.11~142
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=584569727dc0fc52f401db628059807030138a99;p=thirdparty%2Fiptables.git

libxtables: xtoptions: Fix for garbage access in xtables_options_xfrm()

Allocation of the temporary array did not account for a terminating NULL
entry, causing array boundary overstepping in the called
xtables_merge_options(), causing spurious errors in extension parameter
parsing.

Fixes: ed8c3ea4015f0 ("libxtables: Combine the two extension option mergers")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---

diff --git a/libxtables/xtoptions.c b/libxtables/xtoptions.c
index 4fd0e70e..64d740e3 100644
--- a/libxtables/xtoptions.c
+++ b/libxtables/xtoptions.c
@@ -92,12 +92,13 @@ xtables_options_xfrm(struct option *orig_opts, struct option *oldopts,
 	for (num_new = 0; entry[num_new].name != NULL; ++num_new)
 		;
 
-	mp = xtables_calloc(num_new, sizeof(*mp));
+	mp = xtables_calloc(num_new + 1, sizeof(*mp));
 	for (i = 0; i < num_new; i++) {
 		mp[i].name	= entry[i].name;
 		mp[i].has_arg	= entry[i].type != XTTYPE_NONE;
 		mp[i].val	= entry[i].id;
 	}
+
 	merge = xtables_merge_options(orig_opts, oldopts, mp, offset);
 
 	free(mp);