From 21d1283750d9c4df7ca80165d2b9dc0b9bd214eb Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@medozas.de>
Date: Tue, 16 Mar 2010 16:49:21 +0100
Subject: iptables: correctly check for too-long chain/target/match names

* iptables-restore was not checking for chain name length
* iptables was not checking for match name length
* target length was checked against 32, not 29.

References: http://bugzilla.netfilter.org/show_bug.cgi?id=641
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
 xtables.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'xtables.c')

diff --git a/xtables.c b/xtables.c
index f3baf84d..7340c87a 100644
--- a/xtables.c
+++ b/xtables.c
@@ -545,6 +545,11 @@ xtables_find_match(const char *name, enum xtables_tryload tryload,
 	struct xtables_match *ptr;
 	const char *icmp6 = "icmp6";
 
+	if (strlen(name) > XT_FUNCTION_MAXNAMELEN - 1)
+		xtables_error(PARAMETER_PROBLEM,
+			   "Invalid match name \"%s\" (%u chars max)",
+			   name, XT_FUNCTION_MAXNAMELEN - 1);
+
 	/* This is ugly as hell. Nonetheless, there is no way of changing
 	 * this without hurting backwards compatibility */
 	if ( (strcmp(name,"icmpv6") == 0) ||
-- 
cgit v1.2.3