ipset/0001-lib-ipset-Avoid-argv-array-overstepping.patch

From 90f9e82d1db7f81c8d1e41de9fadb82d51c9a2d0 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 27 Jun 2024 10:18:17 +0200
Subject: [PATCH] lib: ipset: Avoid 'argv' array overstepping

The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
array size. The maximum allowed array index is therefore argc-1.

This fix will leave items in argv non-NULL-terminated, so explicitly
NULL the formerly last entry after shifting.

Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
valgrind. Yet adding debug output printing argv entries being copied
did.

Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
(cherry picked from commit 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb)
---
 lib/ipset.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/ipset.c b/lib/ipset.c
index c910d88805c28..3bf1c5fcdbc59 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
 
 	assert(*argc >= from + 1);
 
-	for (i = from + 1; i <= *argc; i++)
+	for (i = from + 1; i < *argc; i++)
 		argv[i-1] = argv[i];
-	(*argc)--;
+	argv[--(*argc)] = NULL;
 	return;
 }
import RHEL 10 Beta ipset-7.21-3.el10 2024-11-25 09:06:32 +00:00			`From 90f9e82d1db7f81c8d1e41de9fadb82d51c9a2d0 Mon Sep 17 00:00:00 2001`
			`From: Phil Sutter <phil@nwl.cc>`
			`Date: Thu, 27 Jun 2024 10:18:17 +0200`
			`Subject: [PATCH] lib: ipset: Avoid 'argv' array overstepping`

			`The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'`
			`array size. The maximum allowed array index is therefore argc-1.`

			`This fix will leave items in argv non-NULL-terminated, so explicitly`
			`NULL the formerly last entry after shifting.`

			`Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor`
			`valgrind. Yet adding debug output printing argv entries being copied`
			`did.`

			`Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")`
			`Signed-off-by: Phil Sutter <phil@nwl.cc>`
			`Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>`
			`(cherry picked from commit 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb)`
			`---`
			`lib/ipset.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/lib/ipset.c b/lib/ipset.c`
			`index c910d88805c28..3bf1c5fcdbc59 100644`
			`--- a/lib/ipset.c`
			`+++ b/lib/ipset.c`
			`@@ -343,9 +343,9 @@ ipset_shift_argv(int argc, char argv[], int from)`

			`assert(*argc >= from + 1);`

			`- for (i = from + 1; i <= *argc; i++)`
			`+ for (i = from + 1; i < *argc; i++)`
			`argv[i-1] = argv[i];`
			`- (*argc)--;`
			`+ argv[--(*argc)] = NULL;`
			`return;`
			`}`