Check for active_rules > 0 before decrementing

In the fw_config struct the active_rules member is unsigned, so this change ensures that we don't try to decrement it below zero whenever a firewall rule is deleted or an error condition occurs.
2011-09-08 21:33:52 -04:00 · 2011-09-08 21:33:52 -04:00 · c65e25c656
commit c65e25c656
parent 88b6d44f1f
2 changed files with 30 additions and 18 deletions
--- a/server/fw_util_ipfw.c
+++ b/server/fw_util_ipfw.c
@ -489,8 +489,6 @@ check_firewall_rules(fko_srv_options_t *opts)
    time_t          now, rule_exp, min_exp = 0;
    unsigned short  curr_rule;
    time(&now);
    /* Just in case we somehow lose track and fall out-of-whack.
    */
    if(fwc.active_rules > fwc.max_rules)
@ -499,7 +497,12 @@ check_firewall_rules(fko_srv_options_t *opts)
    /* If there are no active rules or we have not yet
     * reached our expected next expire time, continue.
    */
-    if(fwc.active_rules == 0 || fwc.next_expire > now)
+    if(fwc.active_rules == 0)
        return;
    time(&now);
    if (fwc.next_expire > now)
        return;
    zero_cmd_buffers();
@ -534,7 +537,9 @@ check_firewall_rules(fko_srv_options_t *opts)
        log_msg(LOG_ERR,
            "Did not find expire comment in rules list %i.\n", i);
        if (fwc.active_rules > 0)
            fwc.active_rules--;
        return;
    }
@ -577,7 +582,9 @@ check_firewall_rules(fko_srv_options_t *opts)
                log_msg(LOG_ERR,
                    "Rule parse error while finding rule line start.");
                if (fwc.active_rules > 0)
                    fwc.active_rules--;
                break;
            }
@ -591,7 +598,9 @@ check_firewall_rules(fko_srv_options_t *opts)
                log_msg(LOG_ERR,
                    "Rule parse error while finding rule number.");
                if (fwc.active_rules > 0)
                    fwc.active_rules--;
                break;
            }
@ -617,7 +626,9 @@ check_firewall_rules(fko_srv_options_t *opts)
                    rule_num_str, rule_exp, fwc.expire_set_num
                );
                if (fwc.active_rules > 0)
                    fwc.active_rules--;
                fwc.rule_map[curr_rule - fwc.start_rule_num] = RULE_EXPIRED;
            }
            else
--- a/server/fw_util_iptables.c
+++ b/server/fw_util_iptables.c
@ -761,13 +761,6 @@ check_firewall_rules(fko_srv_options_t *opts)
    */
    for(i = 0; i < NUM_FWKNOP_ACCESS_TYPES; i++)
    {
        /* Just in case we somehow lose track and fall out-of-whack,
         * we be the hero and reset it to zero.
         *  (poet but don't know it :-o )
        */
        if(ch[i].active_rules < 0)
            ch[i].active_rules = 0;
        /* If there are no active rules or we have not yet
         * reached our expected next expire time, continue.
        */
@ -806,7 +799,9 @@ check_firewall_rules(fko_srv_options_t *opts)
            log_msg(LOG_ERR,
                "Did not find expire comment in rules list %i.\n", i);
            if (ch[i].active_rules > 0)
                ch[i].active_rules--;
            continue;
        }
@ -845,7 +840,9 @@ check_firewall_rules(fko_srv_options_t *opts)
                    log_msg(LOG_ERR,
                        "Rule parse error while finding rule line start in chain %i", i);
                    if (ch[i].active_rules > 0)
                        ch[i].active_rules--;
                    break;
                }
                rn_start++;
@ -859,7 +856,9 @@ check_firewall_rules(fko_srv_options_t *opts)
                    log_msg(LOG_ERR,
                        "Rule parse error while finding rule number in chain %i", i);
                    if (ch[i].active_rules > 0)
                        ch[i].active_rules--;
                    break;
                }
@ -884,6 +883,8 @@ check_firewall_rules(fko_srv_options_t *opts)
                    );
                    rn_offset++;
                    if (ch[i].active_rules > 0)
                        ch[i].active_rules--;
                }
                else