iptables-restore segfaults

Harald Welte laforge@gnumonks.org
Sun, 21 Oct 2001 16:35:27 +0200


On Fri, Oct 19, 2001 at 03:56:11AM +0200, Andreas Ferber wrote:
> On Tue, Oct 16, 2001 at 09:46:35AM +0200, Harald Welte wrote:
> > 
> > ok. I'll consider your patch, though I'm not sure if there is a more clean
> > way of solving the problem.  Maybe the iptables core should refuse taking
> > two "-t " options at all.
> 
> The version in CVS is totally broken. It now refuses any option
> containing "-t" as a substring, like "--to-destination".

thanks for pointing out this stupid bug.

> Bens original patch wasn't that broken, as it checks for whitespace
> after the "-t", but it's still broken. Guess what happens if I happen
> to have a network interface named "-t" ("foo-t" will also trigger with
> Bens patch) and try to match it...
> 
> Attached is a patch that fixes all the issues mentioned above.

ok.  For some reason I didn't like your solution - sorry, no offense.

I've now move the "-t" check into the parser itself.  This way the error
message should only be triggered if there is a single argument of "-t".

> The changes for ip6tables are similar.

oh yes, I have to change ip6tables-restore as well. thanks :)

> Andreas

-- 
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M- 
V-- PS+ PE-- Y+ PGP++ t++ 5-- !X !R tv-- b+++ DI? !D G+ e* h+ r% y+(*)