bugzilla-daemon@bugzilla.netfilter.org
2007-Feb-14 17:46 UTC
[Bug 545] New: Array subscript is above array bounds
https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=545
Summary: Array subscript is above array bounds
Product: iptables
Version: CVS (please indicate
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ip6tables
AssignedTo: laforge@netfilter.org
ReportedBy: prusnak@suse.cz
Hi!
In file ip6tables.c, function set_revision() there are lines:
name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;
but file ip6tables.h says:
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:
[ function register_match6() ]
/* Revision field stole a char from name. */
if (strlen(me->name) >= IP6T_FUNCTION_MAXNAMELEN-1) {
fprintf(stderr, "%s: target `%s' has invalid name\n",
program_name, me->name);
exit(1);
}
[ function do_command6() ]
if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN)
exit_error(PARAMETER_PROBLEM,
"chain name `%s' too long (must be under %i chars)",
chain, IP6T_FUNCTION_MAXNAMELEN);
I cannot determine if changing "char
name[IP6T_FUNCTION_MAXNAMELEN-1];" into
"char name[IP6T_FUNCTION_MAXNAMELEN];" in header file is sufficient
fix, or
usage of constant must be fixed in comparisons too. Otherwise I would have
submitted patch and not only bugreport :) Could you please advise? Thanks in
advance.
--
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Maybe Matching Threads
- [Bug 437] New: restore can segfaults when restoring corrupt policy counters
- [Bug 65] New: Problem with error message when tcp-flags doesn't recognize a flag
- [Bug 825] New: broken led-delay parameter in the LED extension
- [Bug 568] New: iptables-save/restore error messages are not newline-terminated
- [Bug 1242] New: noflush actually flushes in case of custom chain
