From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 2 Mar 2018 10:36:39 +0000 (+0100)
Subject: iptables: fix possible NULL pointer access on constructing rule masks
X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=commitdiff_plain;h=8ef12cb54dbd37466ab10586591eb84338475c2a;ds=sidebyside

iptables: fix possible NULL pointer access on constructing rule masks

Due to a misplaced parenthesis, rule_mask() may try to access
r->target->userspacesize through a r->target NULL pointer.

Fix this problem by correcting the parenthesis placement in the memset
expression, using the originally intented operator precedence.

Spotted in the cz.nic fork of firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---

diff --git a/iptables.c b/iptables.c
index a48a8b6..f8d4d46 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1423,7 +1423,7 @@ rule_mask(struct fw3_ipt_rule *r)
 			p += SZ(ip6t_entry_match) + m->match->size;
 		}
 
-		memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0);
+		memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target ? r->target->userspacesize : 0));
 	}
 	else
 #endif
@@ -1447,7 +1447,7 @@ rule_mask(struct fw3_ipt_rule *r)
 			p += SZ(ipt_entry_match) + m->match->size;
 		}
 
-		memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0);
+		memset(p, 0xFF, SZ(ipt_entry_target) + (r->target ? r->target->userspacesize : 0));
 	}
 
 	return mask;