From bcf1d6cb8bd521c716ae38dd08ee52d267cfa25e Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Wed, 23 Oct 2019 12:06:55 +0200 Subject: [PATCH 1/2] xtables-restore: Fix --table parameter check Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1749700 Upstream Status: iptables commit 3dc433b55bbfa Conflicts: Downstream does not support nft-variants. commit 3dc433b55bbfaf9df3ee408aaa6282742f377864 Author: Phil Sutter Date: Fri Sep 20 17:31:58 2019 +0200 xtables-restore: Fix --table parameter check Xtables-restore tries to reject rule commands in input which contain a --table parameter (since it is adding this itself based on the previous table line). The manual check was not perfect though as it caught any parameter starting with a dash and containing a 't' somewhere, even in rule comments: | *filter | -A FORWARD -m comment --comment "- allow this one" -j ACCEPT | COMMIT Instead of error-prone manual checking, go a much simpler route: All do_command callbacks are passed a boolean indicating they're called from *tables-restore. React upon this when handling a table parameter and error out if it's not the first one. Fixes: f8e5ebc5986bf ("iptables: Fix crash on malformed iptables-restore") Signed-off-by: Phil Sutter Acked-by: Florian Westphal Signed-off-by: Phil Sutter --- iptables/iptables.c | 4 ++++ iptables/xshared.c | 12 ------------ 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/iptables/iptables.c b/iptables/iptables.c index dc70cc6e9b0ec..d106a18949407 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -1591,6 +1591,10 @@ int do_command4(int argc, char *argv[], char **table, if (cs.invert) xtables_error(PARAMETER_PROBLEM, "unexpected ! flag before --table"); + if (restore && *table) + xtables_error(PARAMETER_PROBLEM, + "The -t option (seen in line %u) cannot be used in %s.\n", + line, xt_params->program_name); *table = optarg; break; diff --git a/iptables/xshared.c b/iptables/xshared.c index 84dbea562576e..058b5e8b63896 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -513,18 +513,6 @@ void add_param_to_argv(char *parsestart, int line) } param_buffer[param_len] = '\0'; - - /* check if table name specified */ - if ((param_buffer[0] == '-' && - param_buffer[1] != '-' && - strchr(param_buffer, 't')) || - (!strncmp(param_buffer, "--t", 3) && - !strncmp(param_buffer, "--table", strlen(param_buffer)))) { - xtables_error(PARAMETER_PROBLEM, - "The -t option (seen in line %u) cannot be used in %s.\n", - line, xt_params->program_name); - } - add_argv(param_buffer, 0); param_len = 0; } -- 2.23.0