libxt_conntrack: Avoid potential buffer overrun

In print_addr(), a resolved hostname is written into a buffer without size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an issue, though covscan complained about it. Fix the code by using conntrack_dump_addr() as an example. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
author: Phil Sutter <phil@nwl.cc> 2018-09-19 15:16:50 +0200
committer: Florian Westphal <fw@strlen.de> 2018-09-24 11:24:01 +0200
commit: 8e798e050367dfe43bb958f11dd3170b03bda49e (patch)
tree: 086338c12fb46e635268a897a4ed477c30f31922 /extensions/libxt_conntrack.c
parent: 74eb2395c838460384286c2b95f711ae275a46cb (diff)
1 files changed, 7 insertions, 7 deletions
diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index f1bc8f45..daa8c15a 100644
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -673,20 +673,20 @@ static void
 print_addr(const struct in_addr *addr, const struct in_addr *mask,
            int inv, int numeric)
 {
-	char buf[BUFSIZ];
-
 	if (inv)
 		printf(" !");
 
 	if (mask->s_addr == 0L && !numeric)
-		printf(" %s", "anywhere");
+		printf(" anywhere");
 	else {
 		if (numeric)
-			strcpy(buf, xtables_ipaddr_to_numeric(addr));
+			printf(" %s%s",
+			       xtables_ipaddr_to_numeric(addr),
+			       xtables_ipmask_to_numeric(mask));
 		else
-			strcpy(buf, xtables_ipaddr_to_anyname(addr));
-		strcat(buf, xtables_ipmask_to_numeric(mask));
-		printf(" %s", buf);
+			printf(" %s%s",
+			       xtables_ipaddr_to_anyname(addr),
+			       xtables_ipmask_to_numeric(mask));
 	}
 }
author	Phil Sutter <phil@nwl.cc>	2018-09-19 15:16:50 +0200
committer	Florian Westphal <fw@strlen.de>	2018-09-24 11:24:01 +0200
commit	8e798e050367dfe43bb958f11dd3170b03bda49e (patch)
tree	086338c12fb46e635268a897a4ed477c30f31922 /extensions/libxt_conntrack.c
parent	74eb2395c838460384286c2b95f711ae275a46cb (diff)