Displaying 1 result from an estimated 1 matches for "register_match6".
2007 Feb 14
0
[Bug 545] New: Array subscript is above array bounds
...;\0';
name[IP6T_FUNCTION_MAXNAMELEN - 1] = revision;
but file ip6tables.h says:
struct ip6t_get_revision
{
char name[IP6T_FUNCTION_MAXNAMELEN-1];
u_int8_t revision;
};
So write above array bounds occurs. Constant IP6T_FUNCTION_MAXNAMELEN is used in
2 more places in ip6tables.c:
[ function register_match6() ]
/* Revision field stole a char from name. */
if (strlen(me->name) >= IP6T_FUNCTION_MAXNAMELEN-1) {
fprintf(stderr, "%s: target `%s' has invalid name\n",
program_name, me->name);
exit(1);
}
[ function do_command6() ]
if (chain && strlen(chain) > IP6T_...