39 lines
1.2 KiB
Diff
39 lines
1.2 KiB
Diff
|
From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001
|
||
|
|
From: Phil Sutter <phil@nwl.cc>
|
||
|
|
Date: Thu, 27 Jun 2024 10:18:17 +0200
|
||
|
|
Subject: [PATCH] lib: ipset: Avoid 'argv' array overstepping
|
||
|
|
|
||
|
|
The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
|
||
|
|
array size. The maximum allowed array index is therefore argc-1.
|
||
|
|
|
||
|
|
This fix will leave items in argv non-NULL-terminated, so explicitly
|
||
|
|
NULL the formerly last entry after shifting.
|
||
|
|
|
||
|
|
Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
|
||
|
|
valgrind. Yet adding debug output printing argv entries being copied
|
||
|
|
did.
|
||
|
|
|
||
|
|
Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
|
||
|
|
Signed-off-by: Phil Sutter <phil@nwl.cc>
|
||
|
|
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
||
|
|
---
|
||
|
|
lib/ipset.c | 4 ++--
|
||
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/lib/ipset.c b/lib/ipset.c
|
||
|
|
index c910d88805c28..3bf1c5fcdbc59 100644
|
||
|
|
--- a/lib/ipset.c
|
||
|
|
+++ b/lib/ipset.c
|
||
|
|
@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
|
||
|
|
|
||
|
|
assert(*argc >= from + 1);
|
||
|
|
|
||
|
|
- for (i = from + 1; i <= *argc; i++)
|
||
|
|
+ for (i = from + 1; i < *argc; i++)
|
||
|
|
argv[i-1] = argv[i];
|
||
|
|
- (*argc)--;
|
||
|
|
+ argv[--(*argc)] = NULL;
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|