[PATCH] Avoid using freed memory in iptables.c
Marcus Sundberg
marcus at ingate.com
Mon Jul 18 17:53:37 CEST 2005
Hi, resend in slighty more conformant(?) format:
The call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory.
Signed-off-by: Marcus Sundberg <marcus at ingate.com>
--- a/iptables.c 2005/07/16 12:52:33
+++ b/iptables.c 2005/07/16 12:52:45
@@ -1028,9 +1028,6 @@ merge_options(struct option *oldopts, co
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1039,6 +1036,7 @@ merge_options(struct option *oldopts, co
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;
--
---------------------------------------+--------------------------
Marcus Sundberg <marcus at ingate.com> | Firewalls with SIP & NAT
Software Developer, Ingate Systems AB | http://www.ingate.com/
More information about the netfilter-devel
mailing list