matthias
/
iproute2
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

tc/m_xt: Fix for potential string buffer overflows 

- Use strncpy() when writing to target->t->u.user.name and make sure the
  final byte remains untouched (xtables_calloc() set it to zero).
- 'tname' length sanitization was completely wrong: If it's length
  exceeded the 16 bytes available in 'k', passing a length value of 16
  to strncpy() would overwrite the previously NULL'ed 'k[15]'. Also, the
  sanitization has to happen if 'tname' is exactly 16 bytes long as
  well.

Signed-off-by: Phil Sutter <phil@nwl.cc>
This commit is contained in:
Phil Sutter 2017-08-24 11:51:49 +02:00 committed by Stephen Hemminger
parent bc27878d21
commit 56270e5466
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
tc/m_xt.c
View File

@ -95,7 +95,8 @@ build_st(struct xtables_target *target, struct xt_entry_target *t)
if (t == NULL) {
target->t = xtables_calloc(1, size);
target->t->u.target_size = size;
strcpy(target->t->u.user.name, target->name);
strncpy(target->t->u.user.name, target->name,
sizeof(target->t->u.user.name) - 1);
target->t->u.user.revision = target->revision;
if (target->init != NULL)
@ -277,8 +278,8 @@ static int parse_ipt(struct action_util *a, int *argc_p,
}
fprintf(stdout, " index %d\n", index);
if (strlen(tname) > 16) {
size = 16;
if (strlen(tname) >= 16) {
size = 15;
k[15] = 0;
} else {
size = 1 + strlen(tname);