[Bug 545] New: Array subscript is above array bounds

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Wed Feb 14 17:46:23 CET 2007


           Summary: Array subscript is above array bounds
           Product: iptables
           Version: CVS (please indicate
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip6tables
        AssignedTo: laforge at netfilter.org
        ReportedBy: prusnak at suse.cz

In file ip6tables.c, function set_revision() there are lines:

name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;

but file ip6tables.h says:

struct ip6t_get_revision
	u_int8_t revision;

So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:

[ function register_match6() ]

/* Revision field stole a char from name. */
if (strlen(me->name) >= IP6T_FUNCTION_MAXNAMELEN-1) {
  fprintf(stderr, "%s: target `%s' has invalid name\n",
    program_name, me->name);

[ function do_command6() ]

if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN)
    "chain name `%s' too long (must be under %i chars)",

I cannot determine if changing "char name[IP6T_FUNCTION_MAXNAMELEN-1];" into
"char name[IP6T_FUNCTION_MAXNAMELEN];" in header file is sufficient fix, or
usage of constant must be fixed in comparisons too. Otherwise I would have
submitted patch and not only bugreport :) Could you please advise? Thanks in

Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list