search for: ip6t_get_revision

Displaying 1 result from an estimated 1 matches for "ip6t_get_revision".

2007 Feb 14
0
[Bug 545] New: Array subscript is above array bounds
...mponent: ip6tables AssignedTo: laforge@netfilter.org ReportedBy: prusnak@suse.cz Hi! In file ip6tables.c, function set_revision() there are lines: name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0'; name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision; but file ip6tables.h says: struct ip6t_get_revision { char name[IP6T_FUNCTION_MAXNAMELEN-1]; u_int8_t revision; }; So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in 2 more places in ip6tables.c: [ function register_match6() ] /* Revision field stole a char from name. */ if (strlen(me->name) >= IP6T_FUNCTION_...