libxtables: fix memory scribble beyond end of array

When using -s "", the "n" variable in the code remains uninitialized
and usually scribbes beyond the end of the array.

Furthermore, "n" is just as big as entries in the last host lookup.
When specifying more than one item to -s, e.g. "-s host,host", "n" is
less than "count", and we are not masking the addresses at all
(leaving them at addr/32 resp. addr/128).

The issue goes back to the initial code from v1.4.5~21.

References: http://bugs.debian.org/611990
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>

diff --git a/xtables.c b/xtables.c
index 57d5d13e8e1c6f4c362d551050f455c1d5c1378d..f66fb275e13bb098a4b7f0c1d03a3ba1a5807807 100644 (file)
--- a/xtables.c
+++ b/xtables.c
@@ -1272,7 +1272,7 @@ void xtables_ipparse_multiple(const char *name, struct in_addr **addrpp,
                free(addrp);
        }
        *naddrs = count;
-       for (i = 0; i < n; ++i)
+       for (i = 0; i < count; ++i)
                (*addrpp+i)->s_addr &= (*maskpp+i)->s_addr;
 }
 
@@ -1587,7 +1587,7 @@ xtables_ip6parse_multiple(const char *name, struct in6_addr **addrpp,
                free(addrp);
        }
        *naddrs = count;
-       for (i = 0; i < n; ++i)
+       for (i = 0; i < count; ++i)
                for (j = 0; j < 4; ++j)
                        (*addrpp+i)->s6_addr32[j] &= (*maskpp+i)->s6_addr32[j];
 }