The rule field in the ipfw_dyn_rule structure is used as storage

to pass rule number and rule set to userland. In r272840 the kernel
internal rule representation was changed and the rulenum field of
struct ip_fw_rule got the type uint32_t, but userlevel representation
still have the type uint16_t. To not overflow the size of pointer
on the systems with 32-bit pointer size use separate variable to
copy rulenum and set.

Reported by:	PVS-Studio
MFC after:	1 week
This commit is contained in:
Andrey V. Elsukov 2017-04-14 11:19:09 +00:00
parent 57386f5dce
commit 1ca7c3b815
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=316824

View File

@ -1709,15 +1709,17 @@ ipfw_dyn_get_count(void)
static void
export_dyn_rule(ipfw_dyn_rule *src, ipfw_dyn_rule *dst)
{
uint16_t rulenum;
rulenum = (uint16_t)src->rule->rulenum;
memcpy(dst, src, sizeof(*src));
memcpy(&(dst->rule), &(src->rule->rulenum), sizeof(src->rule->rulenum));
memcpy(&dst->rule, &rulenum, sizeof(rulenum));
/*
* store set number into high word of
* dst->rule pointer.
*/
memcpy((char *)&dst->rule + sizeof(src->rule->rulenum),
&(src->rule->set), sizeof(src->rule->set));
memcpy((char *)&dst->rule + sizeof(rulenum), &src->rule->set,
sizeof(src->rule->set));
/*
* store a non-null value in "next".
* The userland code will interpret a
@ -1725,8 +1727,8 @@ export_dyn_rule(ipfw_dyn_rule *src, ipfw_dyn_rule *dst)
* for the last dynamic rule.
*/
memcpy(&dst->next, &dst, sizeof(dst));
dst->expire =
TIME_LEQ(dst->expire, time_uptime) ? 0 : dst->expire - time_uptime;
dst->expire = TIME_LEQ(dst->expire, time_uptime) ? 0:
dst->expire - time_uptime;
}
/*