Xtables-addons 3.17

The original patch for long division on x86 didn't take into account
the use of short circuit logic for checking if peer is NULL before
testing it. Here is a revised patch to v3.16.

configure.ac

@@ -1,4 +1,4 @@
-AC_INIT([xtables-addons], [3.16])
+AC_INIT([xtables-addons], [3.17])
 AC_CONFIG_AUX_DIR([build-aux])
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

doc/changelog.txt

@@ -1,3 +1,8 @@
+v3.17 (2021-02-28)
+==================
+- xt_pknock: cure a NULL deref
+
+
 v3.16 (2021-02-24)
 ==================
 - xt_pknock: build fix for ILP32 targets

extensions/pknock/xt_pknock.c

@@ -311,9 +311,12 @@ static void update_rule_gc_timer(struct xt_pknock_rule *rule)
 static inline bool
 autoclose_time_passed(const struct peer *peer, unsigned int autoclose_time)
 {
-	unsigned long x = ktime_get_seconds();
-	unsigned long y = peer->login_sec + autoclose_time * 60;
-	return peer != NULL && autoclose_time != 0 && time_after(x, y);
+	unsigned long x, y;
+	if (peer == NULL || autoclose_time == 0)
+		return false;
+	x = ktime_get_seconds();
+	y = peer->login_sec + autoclose_time * 60;
+	return time_after(x, y);
 }
 
 /**
@@ -335,8 +338,12 @@ is_interknock_time_exceeded(const struct peer *peer, unsigned int max_time)
 static inline bool
 has_logged_during_this_minute(const struct peer *peer)
 {
-	unsigned long x = ktime_get_seconds(), y = peer->login_sec;
-	return peer != NULL && do_div(y, 60) == do_div(x, 60);
+	unsigned long x, y;
+	if (peer == NULL)
+		return 0;
+	x = ktime_get_seconds();
+	y = peer->login_sec;
+	return do_div(y, 60) == do_div(x, 60);
 }
 
 /**

xtables-addons.8.in

@@ -1,4 +1,4 @@
-.TH xtables-addons 8 "" "" "v3.16 (2021-02-24)"
+.TH xtables-addons 8 "" "" "v3.17 (2021-02-28)"
 .SH Name
 Xtables-addons \(em additional extensions for iptables, ip6tables, etc.
 .SH Targets