lib: ipset: Avoid 'argv' array overstepping

The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv' array size. The maximum allowed array index is therefore argc-1. This fix will leave items in argv non-NULL-terminated, so explicitly NULL the formerly last entry after shifting. Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor valgrind. Yet adding debug output printing argv entries being copied did. Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
author: Phil Sutter <phil@nwl.cc> 2024-06-27 10:18:17 +0200
committer: Jozsef Kadlecsik <kadlec@netfilter.org> 2024-06-27 15:54:27 +0200
commit: 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb (patch)
tree: ef63594ff7a174e9029ff0aae67d207ed32776cb
parent: f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/ipset.c b/lib/ipset.c
index c910d88..3bf1c5f 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
 
 	assert(*argc >= from + 1);
 
-	for (i = from + 1; i <= *argc; i++)
+	for (i = from + 1; i < *argc; i++)
 		argv[i-1] = argv[i];
-	(*argc)--;
+	argv[--(*argc)] = NULL;
 	return;
 }
author	Phil Sutter <phil@nwl.cc>	2024-06-27 10:18:17 +0200
committer	Jozsef Kadlecsik <kadlec@netfilter.org>	2024-06-27 15:54:27 +0200
commit	851cb04ffee5040f1e0063f77c3fe9bc6245e0fb (patch)
tree	ef63594ff7a174e9029ff0aae67d207ed32776cb
parent	f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 (diff)