git.ipfire.org Git - thirdparty/iptables.git/commit

author	Phil Sutter <phil@nwl.cc>
	Thu, 31 Oct 2024 15:18:13 +0000 (16:18 +0100)
committer	Phil Sutter <phil@nwl.cc>
	Tue, 5 Nov 2024 22:58:03 +0000 (23:58 +0100)
commit	484eba83fe502f6cb010b927380da951cbd1fbab
tree	d0b444511644714b5176b54b8cbd41ad527fc8c7	tree
parent	cdbd798286270b6ad65eb4cfe3a8933430651d0b	commit \| diff

ebtables: Clone extensions before modifying them

Upon identifying an extension option, ebt_command_default() would have
the extension parse the option prior to creating a copy for attaching to
the iptables_command_state object. After copying, the (modified)
initial extension's data was cleared.

This somewhat awkward process breaks with among match which increases
match_size if needed (but never reduces it). This change is not undone,
hence leaks into following instances. This in turn is problematic with
ebtables-restore only (as multiple rules are parsed) and specifically
when deleting rules as the potentially over-sized match_size won't match
the one parsed from the kernel.

A workaround would be to make bramong_parse() realloc the match also if
new size is smaller than the old one. This patch attempts a proper fix
though, by making ebt_command_default() copy the extension first and
parsing the option into the copy afterwards.

No Fixes tag: Prior to commit 24bb57d3f52ac ("ebtables: Support for
guided option parser"), ebtables relied upon the extension's parser
return code instead of checking option_offset, so copying the extension
opportunistically wasn't feasible.

Signed-off-by: Phil Sutter <phil@nwl.cc>

iptables/nft-bridge.h		diff \| blob \| blame \| history
iptables/xtables-eb.c		diff \| blob \| blame \| history