iptables: fix possible NULL pointer access on constructing rule masks

Due to a misplaced parenthesis, rule_mask() may try to access
r->target->userspacesize through a r->target NULL pointer.

Fix this problem by correcting the parenthesis placement in the memset
expression, using the originally intented operator precedence.

Spotted in the cz.nic fork of firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/iptables.c b/iptables.c
index a48a8b6..f8d4d46 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -1423,7 +1423,7 @@ rule_mask(struct fw3_ipt_rule *r)
                        p += SZ(ip6t_entry_match) + m->match->size;
                }
 
-               memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0);
+               memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target ? r->target->userspacesize : 0));
        }
        else
 #endif
@@ -1447,7 +1447,7 @@ rule_mask(struct fw3_ipt_rule *r)
                        p += SZ(ipt_entry_match) + m->match->size;
                }
 
-               memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0);
+               memset(p, 0xFF, SZ(ipt_entry_target) + (r->target ? r->target->userspacesize : 0));
        }
 
        return mask;