[Bug 545] New: Array subscript is above array bounds
bugzilla-daemon at bugzilla.netfilter.org
bugzilla-daemon at bugzilla.netfilter.org
Wed Feb 14 17:46:23 CET 2007
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=545
Summary: Array subscript is above array bounds
Product: iptables
Version: CVS (please indicate
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ip6tables
AssignedTo: laforge at netfilter.org
ReportedBy: prusnak at suse.cz
Hi!
In file ip6tables.c, function set_revision() there are lines:
name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;
but file ip6tables.h says:
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:
[ function register_match6() ]
/* Revision field stole a char from name. */
if (strlen(me->name) >= IP6T_FUNCTION_MAXNAMELEN-1) {
fprintf(stderr, "%s: target `%s' has invalid name\n",
program_name, me->name);
exit(1);
}
[ function do_command6() ]
if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN)
exit_error(PARAMETER_PROBLEM,
"chain name `%s' too long (must be under %i chars)",
chain, IP6T_FUNCTION_MAXNAMELEN);
I cannot determine if changing "char name[IP6T_FUNCTION_MAXNAMELEN-1];" into
"char name[IP6T_FUNCTION_MAXNAMELEN];" in header file is sufficient fix, or
usage of constant must be fixed in comparisons too. Otherwise I would have
submitted patch and not only bugreport :) Could you please advise? Thanks in
advance.
--
Configure bugmail: https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the netfilter-buglog
mailing list