From: Patrick McHardy <kaber@trash.net>
To: Jingmin Zhou <zhouji@cs.ucdavis.edu>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: double-free bug and a question
Date: Fri, 15 Sep 2006 23:05:07 +0200 [thread overview]
Message-ID: <450B1583.2090703@trash.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0609151009060.623@mariner.cs.ucdavis.edu>
jmzhou.ml@gmail.com wrote:
> Thanks for the information.
>
> As you said, for a simple range in either source or destination port,
> multiport is not needed. However, iptables allows me to specify either
> --sports or --dports or --ports with a simple range. Anyway, this detail
> is not important to my question.
>
> My question is actually different from the crash example. I have a set
> of source ports (e.g., 53, 55, 57) and a set of destination ports (e.g.,
> 1023, 1025, 1027). They are different sets. How can I specify both sets
> in a single iptables rule? That means I want to match a packet that has
> a source port of 53, 55 or 57 and a destination port of 1023, 1025 or
> 1027? As the manual says, it seems --ports is not the option for me.
Looking at the code, its not possible. Multiport can only match either
source or destination, but current SVN version of iptables supports
multiple instances of the same match in once rule, so you can use
-m multiport twice.
>
> Here's the stack backtrace, hope it helps. I'm running the command on
> Slackware -current (11.0rc) with kernel 2.6.16.18.
>
> (gdb) run -A INPUT --protocol udp -m multiport --dports 65530:65535 -m
> multiport --sport 53:67 -j ACCEPT
> Starting program: /usr/sbin/iptables -A INPUT --protocol udp -m
> multiport --dports 65530:65535 -m multiport --sport 53:67 -j ACCEPT
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> (no debugging symbols found)
> *** glibc detected *** double free or corruption (!prev): 0x08055160 ***
>
> Program received signal SIGABRT, Aborted.
> 0xb7e67847 in raise () from /lib/tls/libc.so.6
> (gdb) where
> #0 0xb7e67847 in raise () from /lib/tls/libc.so.6
> #1 0xb7e690d9 in abort () from /lib/tls/libc.so.6
> #2 0xb7e9b616 in __libc_message () from /lib/tls/libc.so.6
> #3 0xb7ea1d4f in _int_free () from /lib/tls/libc.so.6
> #4 0xb7ea20ea in free () from /lib/tls/libc.so.6
> #5 0x0804c327 in clear_rule_matches ()
> #6 0x0804d759 in do_command ()
> #7 0x08049d10 in main ()
Thanks, this seems to be already fixed in SVN revision r6465.
prev parent reply other threads:[~2006-09-15 21:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-14 23:29 double-free bug and a question jmzhou.ml
2006-09-15 4:24 ` Patrick McHardy
2006-09-15 17:35 ` jmzhou.ml
2006-09-15 21:05 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=450B1583.2090703@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=zhouji@cs.ucdavis.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.