nft: arp: fix possible string overflow
This patch replaces strcat with strncat and strcpy with strncpy
fixing possible string overflow.
Based on the original patch:
http://patchwork.ozlabs.org/patch/279672/
from Jaromír Končický via Jiri Popelka.
Signed-off-by: Giuseppe Longo <giuseppelng@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 08f8814..1710136 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -459,7 +459,8 @@
sprintf(buf, "%s", addr_to_dotted(&(fw.arp.src)));
else
sprintf(buf, "%s", addr_to_anyname(&(fw.arp.src)));
- strcat(buf, mask_to_dotted(&(fw.arp.smsk)));
+ strncat(buf, mask_to_dotted(&(fw.arp.smsk)),
+ sizeof(buf) - strlen(buf) - 1);
printf("-s %s ", buf);
}
@@ -483,7 +484,8 @@
sprintf(buf, "%s", addr_to_dotted(&(fw.arp.tgt)));
else
sprintf(buf, "%s", addr_to_anyname(&(fw.arp.tgt)));
- strcat(buf, mask_to_dotted(&(fw.arp.tmsk)));
+ strncat(buf, mask_to_dotted(&(fw.arp.tmsk)),
+ sizeof(buf) - strlen(buf) - 1);
printf("-d %s ", buf);
}
diff --git a/iptables/xtables-arp.c b/iptables/xtables-arp.c
index 411a699..18f285c 100644
--- a/iptables/xtables-arp.c
+++ b/iptables/xtables-arp.c
@@ -847,7 +847,8 @@
target->t = xtables_calloc(1, size);
target->t->u.target_size = size;
- strcpy(target->t->u.user.name, jumpto);
+ strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));
+ target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0';
target->t->u.user.revision = target->revision;
xs_init_target(target);
