[ANNOUNCE] Release of iptables-1.3.2

[ANNOUNCE] Release of iptables-1.3.2

[Netfilter Core Team]

[-- Attachment #1.1: Type: text/plain, Size: 1081 bytes --]

Hi!

The netfilter coreteam proudly presents:

	iptables version 1.3.2

The final 1.3.2 version contains accumulated bugfixes to the
last 1.3.1 version.  No new targets/matches have been added.

The ChangeLog is attached to this mail.

Version 1.3.2 can be obtained from:

	http://www.netfilter.org/files/iptables-1.3.2.tar.bz2
	ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.2.tar.bz2

Please also note: patch-o-matic-ng is Distributed as seperate package: 
	ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
	
More information can be found at the netfilter/iptables project homepage,
available at:

	http://www.netfilter.org/
	http://www.iptables.org/

Happy firewalling,

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #1.2: changes-iptables-1.3.2.txt --]
[-- Type: text/plain, Size: 1936 bytes --]

iptables v1.3.2 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18

Bugs fixed from 1.3.1:

- Fix TCPLAG version
	[ Torsten Luettgert ]

- More error checking in SET target
	[ Michal Pokrywka ]

- Fix optflags value for OPT_LINENUMBERS
	[ Jonas Berlin ]

- Allow NULL init function in ip6tables plugins
	[ Jonas Berlin ]

- Don't allow newlines in LOG prefix
	[ Phil Oester ]

- Introduce ip_conntrack_old_tuple to userspace header copy
	[ Pablo Neira ]

- Fix connbytes command line parsing bug
	[ Piotrek Kaczmarek ]

- Ignore unknown arguments in libipt_ULOG 
	[ Patrick McHardy ]

- Correct error in multiport manpage wrt. "--ports"
	[ Rusty Russell ]

- Fix CONNMARK save/restore 
	[ Tom Eastep, Pawel Sikora ]

- Make sure chain name doesn't start with '!' 
	[ Yasuyuki Kozakai ]

- Prevent user to specify negative ports in SNAT/DNAT
	[ Yasuyuki Kozakai ]

- Fix deletion of targets where kernel size != userspace size 
	[ Pablo Neira ]

- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner
	[ Harald Welte ]

Changes from 1.3.1:

- Add ``--log-uid'' option to ip6t_LOG target
	[ Patrick McHardy ]

- Improve REDIRECT manpage
	[ Jonas Berlin ]

- Add a number of missing manpage snippets
	[ Jonas Berlin ]

- Include FIN bit in mask of "--syn" bits
	[ Harald Welte ]

- Release previously merged options from merge_opts(), reduces memory-usage of
  ipt ables-restore dramatically 
  	[ Pablo Neira ]

- OSF: changes to support connector notifications
	[ Evgeniy Polyakov ]

- Reduce code replication of parse_interface() 
	[ Yasuyuki Kozakai ]

Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)


[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [ANNOUNCE] Release of iptables-1.3.2

[Marcus Sundberg]

Netfilter Core Team wrote:
> - Release previously merged options from merge_opts(), reduces memory-usage of
>   ipt ables-restore dramatically 

Hi,

the call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory.

//Marcus

--- iptables.c	2005/07/16 12:52:33
+++ iptables.c	2005/07/16 12:52:45
@@ -1028,9 +1028,6 @@ merge_options(struct option *oldopts, co
 	unsigned int num_old, num_new, i;
 	struct option *merge;

-	/* Release previous options merged if any */
-	free_opts(0);
-	
 	for (num_old = 0; oldopts[num_old].name; num_old++);
 	for (num_new = 0; newopts[num_new].name; num_new++);

@@ -1039,6 +1036,7 @@ merge_options(struct option *oldopts, co

 	merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
 	memcpy(merge, oldopts, num_old * sizeof(struct option));
+	free_opts(0); /* Release previous options merged if any */
 	for (i = 0; i < num_new; i++) {
 		merge[num_old + i] = newopts[i];
 		merge[num_old + i].val += *option_offset;


-- 
---------------------------------------+--------------------------
  Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
 Software Developer, Ingate Systems AB |  http://www.ingate.com/

[PATCH] Avoid using freed memory in iptables.c

[Marcus Sundberg]

Hi, resend in slighty more conformant(?) format:

The call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory.

Signed-off-by: Marcus Sundberg <marcus@ingate.com>


--- a/iptables.c	2005/07/16 12:52:33
+++ b/iptables.c	2005/07/16 12:52:45
@@ -1028,9 +1028,6 @@ merge_options(struct option *oldopts, co
 	unsigned int num_old, num_new, i;
 	struct option *merge;

-	/* Release previous options merged if any */
-	free_opts(0);
-	
 	for (num_old = 0; oldopts[num_old].name; num_old++);
 	for (num_new = 0; newopts[num_new].name; num_new++);

@@ -1039,6 +1036,7 @@ merge_options(struct option *oldopts, co

 	merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
 	memcpy(merge, oldopts, num_old * sizeof(struct option));
+	free_opts(0); /* Release previous options merged if any */
 	for (i = 0; i < num_new; i++) {
 		merge[num_old + i] = newopts[i];
 		merge[num_old + i].val += *option_offset;


-- 
---------------------------------------+--------------------------
  Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
 Software Developer, Ingate Systems AB |  http://www.ingate.com/

Re: [PATCH] Avoid using freed memory in iptables.c

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 873 bytes --]

On Mon, Jul 18, 2005 at 05:53:37PM +0200, Marcus Sundberg wrote:
> The call to free_opts() in merge_options() is invalid C. The oldopts
> argument always refers to the memory pointed to by the opts global,
> which may be freed by the call to free_opts(), but oldopts is used
> after the free_opts() call. This patch makes sure we don't use freed
> memory.

thanks, I finally merged your important fix today (and also fixed
ip6tables.c).  I think iptables-1.3.3 should be released any day now.
-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]