netfilter buglog - Feb 2007 - [Bug 545] New: Array subscript is above array bounds

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=545

           Summary: Array subscript is above array bounds
           Product: iptables
           Version: CVS (please indicate
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ip6tables
        AssignedTo: laforge@netfilter.org
        ReportedBy: prusnak@suse.cz


Hi!
In file ip6tables.c, function set_revision() there are lines:

name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;

but file ip6tables.h says:

struct ip6t_get_revision
{
	char name[IP6T_FUNCTION_MAXNAMELEN-1];
	u_int8_t revision;
};

So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:

[ function register_match6() ]

/* Revision field stole a char from name. */
if (strlen(me->name) >= IP6T_FUNCTION_MAXNAMELEN-1) {
  fprintf(stderr, "%s: target `%s' has invalid name\n",
    program_name, me->name);
  exit(1);
}

[ function do_command6() ]

if (chain && strlen(chain) > IP6T_FUNCTION_MAXNAMELEN)
  exit_error(PARAMETER_PROBLEM,
    "chain name `%s' too long (must be under %i chars)",
    chain, IP6T_FUNCTION_MAXNAMELEN);

I cannot determine if changing "char
name[IP6T_FUNCTION_MAXNAMELEN-1];" into
"char name[IP6T_FUNCTION_MAXNAMELEN];" in header file is sufficient
fix, or
usage of constant must be fixed in comparisons too. Otherwise I would have
submitted patch and not only bugreport :) Could you please advise? Thanks in
advance.

-- 
Configure bugmail:
https://bugzilla.netfilter.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.