This patch fixes a bug in iptables that is causing memory corruption when a rule contains IPv6 address with mask divisible by 8 or equal to /128. After some debugging, we found out that this bug was already reported and applied in commit a76a5c997a235f822d49799c25fce8e311d473c7 in iptables.
The bug occured on PowerPC platform (mpc85xx), resulting in segfault. It's possible that it'd not surface on other platforms or with some compiler options, as the overflown byte wouldn't rewrite any vital address. This patch would probably be no longer necessasy after release of iptables 1.4.22, however it's not sure when a new version is going to be released and this bug can make using IPv6 rules in iptables impossible. Also, can you please backport this patch to BB? Signed-off-by: Jan Cermak <jan.cer...@nic.cz> Link to original commit in iptables repository: https://git.netfilter.org/iptables/commit/?id=a76a5c997a235f822d49799c25fce8e311d473c7 diff --git a/package/network/utils/iptables/patches/600-libxtables-fix-two-off-by-one-memory-corruption-bugs.patch b/package/network/utils/iptables/patches/600-libxtables-fix-two-off-by-one-memory-corruption-bugs.patch new file mode 100644 index 0000000..3f7364b --- /dev/null +++ b/package/network/utils/iptables/patches/600-libxtables-fix-two-off-by-one-memory-corruption-bugs.patch @@ -0,0 +1,14 @@ +--- a/libxtables/xtables.c ++++ b/libxtables/xtables.c +@@ -1704,8 +1704,9 @@ static struct in6_addr *parse_ip6mask(char *mask) + if (bits != 0) { + char *p = (void *)&maskaddr; + memset(p, 0xff, bits / 8); +- memset(p + (bits / 8) + 1, 0, (128 - bits) / 8); +- p[bits/8] = 0xff << (8 - (bits & 7)); ++ memset(p + ((bits + 7) / 8), 0, (128 - bits) / 8); ++ if (bits < 128) ++ p[bits/8] = 0xff << (8 - (bits & 7)); + return &maskaddr; + } + _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
