The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
array size. The maximum allowed array index is therefore argc-1.
This fix will leave items in argv non-NULL-terminated, so explicitly
NULL the formerly last entry after shifting.
Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
valgrind. Yet adding debug output printing argv entries being copied
did.
Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
lib/ipset.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/ipset.c b/lib/ipset.c
index c910d88805c28..3bf1c5fcdbc59 100644
--- a/lib/ipset.c
+++ b/lib/ipset.c
@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
assert(*argc >= from + 1);
- for (i = from + 1; i <= *argc; i++)
+ for (i = from + 1; i < *argc; i++)
argv[i-1] = argv[i];
- (*argc)--;
+ argv[--(*argc)] = NULL;
return;
}
--
2.43.0
