connmark: Compare the complete rules when deleting them

By settings a matchmask that covers the complete rule we ensure that the correct rule is deleted (i.e. matches and targets with potentially different marks are also compared). Since data after the passed pointer is actually dereferenced when comparing we definitely have to pass an array that is at least as long as the ipt_entry. Fixes #1229.
author: Tobias Brunner <tobias@strongswan.org> 2016-03-07 15:32:02 +0100
committer: Tobias Brunner <tobias@strongswan.org> 2016-03-10 17:26:09 +0100
commit: 7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d (patch)
tree: 8da575573f83997a9146a8c3682dd40f956ba2ac /src
parent: 6b8acc49ed6e4b65eec6d1a44c190ad4afbf933e (diff)
download: strongswan-7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d.tar.bz2
strongswan-7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/src/libcharon/plugins/connmark/connmark_listener.c b/src/libcharon/plugins/connmark/connmark_listener.c
index cd53701e8..9dde7c1c5 100644
--- a/src/libcharon/plugins/connmark/connmark_listener.c
+++ b/src/libcharon/plugins/connmark/connmark_listener.c
@@ -101,7 +101,10 @@ static bool manage_rule(struct iptc_handle *ipth, const char *chain,
 	}
 	else
 	{
-		if (!iptc_delete_entry(chain, e, "", ipth))
+		u_char matchmask[e->next_offset];
+
+		memset(matchmask, 255, sizeof(matchmask));
+		if (!iptc_delete_entry(chain, e, matchmask, ipth))
 		{
 			DBG1(DBG_CFG, "deleting %s rule failed: %s",
 				 chain, iptc_strerror(errno));
author	Tobias Brunner <tobias@strongswan.org>	2016-03-07 15:32:02 +0100
committer	Tobias Brunner <tobias@strongswan.org>	2016-03-10 17:26:09 +0100
commit	7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d (patch)
tree	8da575573f83997a9146a8c3682dd40f956ba2ac /src
parent	6b8acc49ed6e4b65eec6d1a44c190ad4afbf933e (diff)
download	strongswan-7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d.tar.bz2 strongswan-7c9e7eb9334beeca94e7d97f7b4cbed718e9dc2d.tar.xz