From: Jan Engelhardt <jengelh@medozas.de>
Date: 2011-07-11 01:11 +0200

libebt_among: fix undefined behavior on dereference of typepunned ptr

extensions/ebt_among.c: In function ‘create_wormhash’:
extensions/ebt_among.c:250:4: warning: dereferencing type-punned pointer will break strict-aliasing rules
extensions/ebt_among.c:261:3: warning: dereferencing type-punned pointer will break strict-aliasing rules

---
 extensions/ebt_among.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

Index: ebtables-v2.0.10-1/extensions/ebt_among.c
===================================================================
--- ebtables-v2.0.10-1.orig/extensions/ebt_among.c
+++ ebtables-v2.0.10-1/extensions/ebt_among.c
@@ -183,7 +183,7 @@ static struct ebt_mac_wormhash *create_w
 	char *endptr;
 	struct ebt_mac_wormhash *workcopy, *result, *h;
 	unsigned char mac[6];
-	unsigned char ip[4];
+	uint32_t ip;
 	int nmacs = 0;
 	int i;
 	char token[4];
@@ -222,16 +222,18 @@ static struct ebt_mac_wormhash *create_w
 			ebt_print_error("MAC parse error: %.20s", anchor);
 			return NULL;
 		}
+		ip = 0;
 		if (*pc == '=') {
 			/* an IP follows the MAC; collect similarly to MAC */
 			pc++;
 			anchor = pc;
-			for (i = 0; i < 3; i++) {
+			for (i = 3; i > 0; --i) {
 				if (read_until(&pc, ".", token, 3) < 0 || token[0] == 0) {
 					ebt_print_error("IP parse error: %.20s", anchor);
 					return NULL;
 				}
-				ip[i] = strtol(token, &endptr, 10);
+				/* 0xFF warrants using 8 - not CHAR_BIT. */
+				ip |= (strtoul(token, &endptr, 10) & 0xFF) << (8 * i);
 				if (*endptr) {
 					ebt_print_error("IP parse error: %.20s", anchor);
 					return NULL;
@@ -242,23 +244,21 @@ static struct ebt_mac_wormhash *create_w
 				ebt_print_error("IP parse error: %.20s", anchor);
 				return NULL;
 			}
-			ip[3] = strtol(token, &endptr, 10);
+			ip |= strtoul(token, &endptr, 10) & 0xFF;
 			if (*endptr) {
 				ebt_print_error("IP parse error: %.20s", anchor);
 				return NULL;
 			}
-			if (*(uint32_t*)ip == 0) {
+			ip = htonl(ip);
+			if (ip == 0) {
 				ebt_print_error("Illegal IP 0.0.0.0");
 				return NULL;
 			}
-		} else {
-			/* no IP, we set it to 0.0.0.0 */
-			memset(ip, 0, 4);
 		}
 
 		/* we have collected MAC and IP, so we add an entry */
 		memcpy(((char *) workcopy->pool[nmacs].cmp) + 2, mac, 6);
-		workcopy->pool[nmacs].ip = *(const uint32_t *) ip;
+		workcopy->pool[nmacs].ip = ip;
 		nmacs++;
 
 		/* re-allocate memory if needed */