libxtables: fix memory scribble beyond end of array

When using -s "", the "n" variable in the code remains uninitialized
and usually scribbes beyond the end of the array.

Furthermore, "n" is just as big as entries in the last host lookup.
When specifying more than one item to -s, e.g. "-s host,host", "n" is
less than "count", and we are not masking the addresses at all
(leaving them at addr/32 resp. addr/128).

The issue goes back to the initial code from v1.4.5~21.

References: http://bugs.debian.org/611990
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

1 files changed, 2 insertions, 2 deletions

diff --git a/xtables.c b/xtables.c
index 57d5d13e..f66fb275 100644
--- a/xtables.c
+++ b/xtables.c
@@ -1272,7 +1272,7 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
 		free(addrp);
 	}
 	*naddrs = count;
-	for (i = 0; i < n; ++i)
+	for (i = 0; i < count; ++i)
 		(*addrpp+i)->s_addr &= (*maskpp+i)->s_addr;
 }
 
@@ -1587,7 +1587,7 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
 		free(addrp);
 	}
 	*naddrs = count;
-	for (i = 0; i < n; ++i)
+	for (i = 0; i < count; ++i)
 		for (j = 0; j < 4; ++j)
 			(*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j];
 }