onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 03:07:20 +01:00
Code Issues Releases Wiki Activity

fixed dangerous memory access: the code used to delete object references instead of using removeRef()

Browse Source
This commit is contained in:
Vadim Kurland 2011-03-12 17:49:50 -08:00
parent 26ab8d3e3e
commit c4f6a5a219
2 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -760,10 +760,12 @@ bool NATCompiler_pix::ReplaceFirewallObjectsODst::processNext()
if (! iface->isLoopback() && iface->getSecurityLevel()==0 )
cl.push_back(iface);
}
if ( ! cl.empty() ) {
while (rel->size())
rel->remove( rel->front() );
if ( ! cl.empty() )
{
// while (rel->size())
// rel->remove( rel->front() );
rel->clearChildren();
for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
{
rel->addRef( *i1 );
@ -807,14 +809,17 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
osrc_level = osrc_iface->getSecurityLevel();
}
rel=rule->getTSrc(); assert(rel);
rel = rule->getTSrc();
assert(rel);
if (rel->size() == 0)
{
compiler->abort(rule, "Empty TSrc");
return true;
}
obj=compiler->getFirstTSrc(rule); assert(obj!=NULL);
obj = compiler->getFirstTSrc(rule);
assert(obj!=NULL);
if (obj->getId()==compiler->getFwId() )
{
@ -840,10 +845,13 @@ bool NATCompiler_pix::ReplaceFirewallObjectsTSrc::processNext()
helper.findInterfaceByNetzone(odst ) );
if (odst_iface!=NULL) cl.push_back(odst_iface);
}
if ( ! cl.empty() ) {
while (rel->size())
rel->remove( rel->front() );
if ( ! cl.empty() )
{
// while (rel->size())
// rel->remove( rel->front() );
rel->clearChildren();
for (FWObject::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
{
rel->addRef( *i1 );

28
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -373,33 +373,30 @@ bool PolicyCompiler_cisco::NegationPhase1::processNext()
*/
bool PolicyCompiler_cisco::splitIfRuleElementMatchesFW::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyCompiler_cisco *cisco_comp=dynamic_cast<PolicyCompiler_cisco*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(compiler);
RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type));
int nre=re->size();
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
int nre = re->size();
list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); nre>1 && i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Address *a=Address::cast(obj);
FWObject *obj = FWReference::getObject(*i1);
Address *a = Address::cast(obj);
assert(a!=NULL);
// InetAddr obj_addr=a->getAddress();
if (cisco_comp->complexMatch(a,cisco_comp->fw))
{
cl.push_back(obj);
if (cisco_comp->complexMatch(a,cisco_comp->fw)) {
cl.push_back(o); // can not remove right now because remove invalidates iterator
nre--;
PolicyRule *new_rule= compiler->dbcopy->createPolicyRule();
PolicyRule *new_rule = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
RuleElement *new_re=RuleElement::cast(new_rule->getFirstByType(re_type));
RuleElement *new_re = RuleElement::cast(new_rule->getFirstByType(re_type));
new_re->clearChildren();
new_re->setAnyElement();
new_re->addRef( a );
@ -407,10 +404,11 @@ bool PolicyCompiler_cisco::splitIfRuleElementMatchesFW::processNext()
}
}
if (!cl.empty())
{
for (list<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
re->remove( (*i1) );
re->removeRef(*i1);
}
tmp_queue.push_back(rule);