[IPTABLES] [PATCH] fix is_same with userspacesize != size in targets

[IPTABLES] [PATCH] fix is_same with userspacesize != size in targets

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 506 bytes --]

I've discovered a bug in same_is while fixing deletion in CLUSTERIP.

CLUSTERIP has to define a different userspacesize for the private target 
info because of the config pointer, this should be enough to fix rule 
deletion but the function same_is returns a wrong pointer to the 
comparation mask array since it doesn't add the size of ipt_entry. 
Because of that, target_same returns 0 and no rule matches.

Impact: This just affects rule deletion with targets that has 
userspacesize != size.

--
Pablo

[-- Attachment #2: fix-del-with-userspacesize-target.patch --]
[-- Type: text/x-patch, Size: 795 bytes --]

Index: libiptc/libip4tc.c
===================================================================
--- libiptc/libip4tc.c	(revision 3742)
+++ libiptc/libip4tc.c	(working copy)
@@ -210,6 +210,7 @@
 	mptr = matchmask + sizeof(STRUCT_ENTRY);
 	if (IPT_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
 		return NULL;
+	mptr += IPT_ALIGN(sizeof(struct ipt_entry_target));
 
 	return mptr;
 }
Index: libiptc/libip6tc.c
===================================================================
--- libiptc/libip6tc.c	(revision 3742)
+++ libiptc/libip6tc.c	(working copy)
@@ -242,6 +242,7 @@
 	mptr = matchmask + sizeof(STRUCT_ENTRY);
 	if (IP6T_MATCH_ITERATE(a, match_different, a->elems, b->elems, &mptr))
 		return NULL;
+	mptr += IP6T_ALIGN(sizeof(struct ip6t_entry_target));
 
 	return mptr;
 }