Displaying 1 result from an estimated 1 matches for "ip6t_get_revision".
2007 Feb 14
0
[Bug 545] New: Array subscript is above array bounds
...mponent: ip6tables
AssignedTo: laforge@netfilter.org
ReportedBy: prusnak@suse.cz
Hi!
In file ip6tables.c, function set_revision() there are lines:
name[IP6T_FUNCTION_MAXNAMELEN - 2] = '\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;
but file ip6tables.h says:
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:
[ function register_match6() ]
/* Revision field stole a char from name. */
if (strlen(me->name) >= IP6T_FUNCTION_...