From 8ef12cb54dbd37466ab10586591eb84338475c2a Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 2 Mar 2018 11:36:39 +0100
Subject: [PATCH] iptables: fix possible NULL pointer access on constructing
 rule masks

Due to a misplaced parenthesis, rule_mask() may try to access
r->target->userspacesize through a r->target NULL pointer.

Fix this problem by correcting the parenthesis placement in the memset
expression, using the originally intented operator precedence.

Spotted in the cz.nic fork of firewall3.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 iptables.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/iptables.c b/iptables.c
index a48a8b6..f8d4d46 100644
--- a/iptables.c
+++ b/iptables.c
@@ -1423,7 +1423,7 @@ rule_mask(struct fw3_ipt_rule *r)
 			p += SZ(ip6t_entry_match) + m->match->size;
 		}
 
-		memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target) ? r->target->userspacesize : 0);
+		memset(p, 0xFF, SZ(ip6t_entry_target) + (r->target ? r->target->userspacesize : 0));
 	}
 	else
 #endif
@@ -1447,7 +1447,7 @@ rule_mask(struct fw3_ipt_rule *r)
 			p += SZ(ipt_entry_match) + m->match->size;
 		}
 
-		memset(p, 0xFF, SZ(ipt_entry_target) + (r->target) ? r->target->userspacesize : 0);
+		memset(p, 0xFF, SZ(ipt_entry_target) + (r->target ? r->target->userspacesize : 0));
 	}
 
 	return mask;
-- 
2.11.0