On Mon, Feb 18, 2002 at 07:30:22AM -0500, Laurence J. Lane wrote: > > When invoked with -p proto_num option, iptables receives SIGSEGV if > proto_num is not listed in /etc/protocols. Here is a transcript: > > $ iptables -A INPUT -p 7 --destination-port 139 -j DNAT --to-destination > 192.168.200.202:139 > Segmentation fault > $ > > This problem occures because find_proto function passes the return value > of proto_to_name to find_match in iptables.c without checking for NULL value. > The following patch should solve the problem:
sorry. just found it in the last minute (patch was not applied to iptables CVS): What you're doing seems wrong. Using protocol numbers which don't have names in /etc/protocols is totally valid. I'm using this for filtering on SIT (ipv6 in ipv4) packets all the time. The proposed patch is also wrong in causing exit_error() in case somebody is using a numeric protocol value. Using numeric protocol values is possible and we can't just abort in that case. When coming back to the given iptables command line above, I can see that somebody is trying to use 'destination-port' parameters (which are only valid in the tcp and udp case) in combination with protocol #7. This should result in an error condition and not in segfault, I agree. But the bug seems to be elsewhere. Thanks for reporting the bug anyway. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
