* [ANNOUNCE] Release of iptables-1.3.2
@ 2005-07-10 15:05 Netfilter Core Team
2005-07-16 12:58 ` Marcus Sundberg
0 siblings, 1 reply; 4+ messages in thread
From: Netfilter Core Team @ 2005-07-10 15:05 UTC (permalink / raw)
To: Netfilter Announcement List, Netfilter Mailinglist,
Netfilter Development Mailinglist
Cc: lwn
[-- Attachment #1.1: Type: text/plain, Size: 1081 bytes --]
Hi!
The netfilter coreteam proudly presents:
iptables version 1.3.2
The final 1.3.2 version contains accumulated bugfixes to the
last 1.3.1 version. No new targets/matches have been added.
The ChangeLog is attached to this mail.
Version 1.3.2 can be obtained from:
http://www.netfilter.org/files/iptables-1.3.2.tar.bz2
ftp://ftp.netfilter.org/pub/iptables/iptables-1.3.2.tar.bz2
Please also note: patch-o-matic-ng is Distributed as seperate package:
ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/
More information can be found at the netfilter/iptables project homepage,
available at:
http://www.netfilter.org/
http://www.iptables.org/
Happy firewalling,
--
- Harald Welte <laforge@netfilter.org> http://www.netfilter.org/
============================================================================
"Fragmentation is like classful addressing -- an interesting early
architectural error that shows how much experimentation was going
on while IP was being designed." -- Paul Vixie
[-- Attachment #1.2: changes-iptables-1.3.2.txt --]
[-- Type: text/plain, Size: 1936 bytes --]
iptables v1.3.2 Changelog
======================================================================
This version requires kernel >= 2.4.0
This version recommends kernel >= 2.4.18
Bugs fixed from 1.3.1:
- Fix TCPLAG version
[ Torsten Luettgert ]
- More error checking in SET target
[ Michal Pokrywka ]
- Fix optflags value for OPT_LINENUMBERS
[ Jonas Berlin ]
- Allow NULL init function in ip6tables plugins
[ Jonas Berlin ]
- Don't allow newlines in LOG prefix
[ Phil Oester ]
- Introduce ip_conntrack_old_tuple to userspace header copy
[ Pablo Neira ]
- Fix connbytes command line parsing bug
[ Piotrek Kaczmarek ]
- Ignore unknown arguments in libipt_ULOG
[ Patrick McHardy ]
- Correct error in multiport manpage wrt. "--ports"
[ Rusty Russell ]
- Fix CONNMARK save/restore
[ Tom Eastep, Pawel Sikora ]
- Make sure chain name doesn't start with '!'
[ Yasuyuki Kozakai ]
- Prevent user to specify negative ports in SNAT/DNAT
[ Yasuyuki Kozakai ]
- Fix deletion of targets where kernel size != userspace size
[ Pablo Neira ]
- Fix save/restore of '! --uid-owner squid' problem in ip6t_owner
[ Harald Welte ]
Changes from 1.3.1:
- Add ``--log-uid'' option to ip6t_LOG target
[ Patrick McHardy ]
- Improve REDIRECT manpage
[ Jonas Berlin ]
- Add a number of missing manpage snippets
[ Jonas Berlin ]
- Include FIN bit in mask of "--syn" bits
[ Harald Welte ]
- Release previously merged options from merge_opts(), reduces memory-usage of
ipt ables-restore dramatically
[ Pablo Neira ]
- OSF: changes to support connector notifications
[ Evgeniy Polyakov ]
- Reduce code replication of parse_interface()
[ Yasuyuki Kozakai ]
Please note: Since version 1.2.7a, patch-o-matic is now no longer part of
iptables but rather distributed as a seperate package
(ftp://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot)
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ANNOUNCE] Release of iptables-1.3.2
2005-07-10 15:05 [ANNOUNCE] Release of iptables-1.3.2 Netfilter Core Team
@ 2005-07-16 12:58 ` Marcus Sundberg
2005-07-18 15:53 ` [PATCH] Avoid using freed memory in iptables.c Marcus Sundberg
0 siblings, 1 reply; 4+ messages in thread
From: Marcus Sundberg @ 2005-07-16 12:58 UTC (permalink / raw)
To: Harald Welte; +Cc: Netfilter Development Mailinglist
Netfilter Core Team wrote:
> - Release previously merged options from merge_opts(), reduces memory-usage of
> ipt ables-restore dramatically
Hi,
the call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory.
//Marcus
--- iptables.c 2005/07/16 12:52:33
+++ iptables.c 2005/07/16 12:52:45
@@ -1028,9 +1028,6 @@ merge_options(struct option *oldopts, co
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1039,6 +1036,7 @@ merge_options(struct option *oldopts, co
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;
--
---------------------------------------+--------------------------
Marcus Sundberg <marcus@ingate.com> | Firewalls with SIP & NAT
Software Developer, Ingate Systems AB | http://www.ingate.com/
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH] Avoid using freed memory in iptables.c
2005-07-16 12:58 ` Marcus Sundberg
@ 2005-07-18 15:53 ` Marcus Sundberg
2005-07-29 13:09 ` Harald Welte
0 siblings, 1 reply; 4+ messages in thread
From: Marcus Sundberg @ 2005-07-18 15:53 UTC (permalink / raw)
To: netfilter-devel
Hi, resend in slighty more conformant(?) format:
The call to free_opts() in merge_options() is invalid C. The oldopts
argument always refers to the memory pointed to by the opts global,
which may be freed by the call to free_opts(), but oldopts is used
after the free_opts() call. This patch makes sure we don't use freed
memory.
Signed-off-by: Marcus Sundberg <marcus@ingate.com>
--- a/iptables.c 2005/07/16 12:52:33
+++ b/iptables.c 2005/07/16 12:52:45
@@ -1028,9 +1028,6 @@ merge_options(struct option *oldopts, co
unsigned int num_old, num_new, i;
struct option *merge;
- /* Release previous options merged if any */
- free_opts(0);
-
for (num_old = 0; oldopts[num_old].name; num_old++);
for (num_new = 0; newopts[num_new].name; num_new++);
@@ -1039,6 +1036,7 @@ merge_options(struct option *oldopts, co
merge = malloc(sizeof(struct option) * (num_new + num_old + 1));
memcpy(merge, oldopts, num_old * sizeof(struct option));
+ free_opts(0); /* Release previous options merged if any */
for (i = 0; i < num_new; i++) {
merge[num_old + i] = newopts[i];
merge[num_old + i].val += *option_offset;
--
---------------------------------------+--------------------------
Marcus Sundberg <marcus@ingate.com> | Firewalls with SIP & NAT
Software Developer, Ingate Systems AB | http://www.ingate.com/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-07-29 13:09 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-07-10 15:05 [ANNOUNCE] Release of iptables-1.3.2 Netfilter Core Team
2005-07-16 12:58 ` Marcus Sundberg
2005-07-18 15:53 ` [PATCH] Avoid using freed memory in iptables.c Marcus Sundberg
2005-07-29 13:09 ` Harald Welte
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.