diff options
author | Phil Sutter <phil@nwl.cc> | 2017-08-24 11:51:49 +0200 |
---|---|---|
committer | Stephen Hemminger <stephen@networkplumber.org> | 2017-08-24 14:53:14 -0700 |
commit | 56270e54661e8ca51d4b3661b9f9bb12a0a40d95 (patch) | |
tree | dc2cb7bfeefdde971be596b89e3439d53a435509 /tc/m_xt.c | |
parent | bc27878d21909b110dd21eea0c3505d023f29dc2 (diff) | |
download | platform_external_iproute2-56270e54661e8ca51d4b3661b9f9bb12a0a40d95.tar.gz platform_external_iproute2-56270e54661e8ca51d4b3661b9f9bb12a0a40d95.tar.bz2 platform_external_iproute2-56270e54661e8ca51d4b3661b9f9bb12a0a40d95.zip |
tc/m_xt: Fix for potential string buffer overflows
- Use strncpy() when writing to target->t->u.user.name and make sure the
final byte remains untouched (xtables_calloc() set it to zero).
- 'tname' length sanitization was completely wrong: If it's length
exceeded the 16 bytes available in 'k', passing a length value of 16
to strncpy() would overwrite the previously NULL'ed 'k[15]'. Also, the
sanitization has to happen if 'tname' is exactly 16 bytes long as
well.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'tc/m_xt.c')
-rw-r--r-- | tc/m_xt.c | 7 |
1 files changed, 4 insertions, 3 deletions
@@ -95,7 +95,8 @@ build_st(struct xtables_target *target, struct xt_entry_target *t) if (t == NULL) { target->t = xtables_calloc(1, size); target->t->u.target_size = size; - strcpy(target->t->u.user.name, target->name); + strncpy(target->t->u.user.name, target->name, + sizeof(target->t->u.user.name) - 1); target->t->u.user.revision = target->revision; if (target->init != NULL) @@ -277,8 +278,8 @@ static int parse_ipt(struct action_util *a, int *argc_p, } fprintf(stdout, " index %d\n", index); - if (strlen(tname) > 16) { - size = 16; + if (strlen(tname) >= 16) { + size = 15; k[15] = 0; } else { size = 1 + strlen(tname); |