Displaying 1 result from an estimated 1 matches for "ip6t_function_maxnamelen".
2007 Feb 14
0
[Bug 545] New: Array subscript is above array bounds
...Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: ip6tables
AssignedTo: laforge@netfilter.org
ReportedBy: prusnak@suse.cz
Hi!
In file ip6tables.c, function set_revision() there are lines:
name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;
but file ip6tables.h says:
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:...