diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-05-30 11:01:05 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2009-05-30 11:01:05 +0200 |
commit | 3ba6d6c1ded320db0c0519bcf4cb270933e55c9a (patch) | |
tree | 9a66a9d82047e864ec0211e7aa17e7b0dac371b6 /src/conntrack/snprintf_xml.c | |
parent | 20ed81b10714dfe78e31e9721e2d4f42b4beabb2 (diff) |
snprintf: perform strict checking for the protocol state value
This patch avoids possible out-of-bound array access if protocol
states higher than the accepted are used.
Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/conntrack/snprintf_xml.c')
-rw-r--r-- | src/conntrack/snprintf_xml.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c index 17e0cd4..aa9a9ec 100644 --- a/src/conntrack/snprintf_xml.c +++ b/src/conntrack/snprintf_xml.c @@ -303,19 +303,25 @@ int __snprintf_conntrack_xml(char *buf, if (test_bit(ATTR_TCP_STATE, ct->set)) { ret = snprintf(buf+offset, len, "<state>%s</state>", - states[ct->protoinfo.tcp.state]); + ct->protoinfo.tcp.state < TCP_CONNTRACK_MAX ? + states[ct->protoinfo.tcp.state] : + states[TCP_CONNTRACK_NONE]); BUFFER_SIZE(ret, size, len, offset); } if (test_bit(ATTR_SCTP_STATE, ct->set)) { ret = snprintf(buf+offset, len, "<state>%s</state>", - states[ct->protoinfo.sctp.state]); + ct->protoinfo.sctp.state < SCTP_CONNTRACK_MAX ? + states[ct->protoinfo.sctp.state] : + states[SCTP_CONNTRACK_NONE]); BUFFER_SIZE(ret, size, len, offset); } if (test_bit(ATTR_DCCP_STATE, ct->set)) { ret = snprintf(buf+offset, len, "<state>%s</state>", - states[ct->protoinfo.dccp.state]); + ct->protoinfo.sctp.state < DCCP_CONNTRACK_MAX ? + states[ct->protoinfo.dccp.state] : + states[DCCP_CONNTRACK_NONE]); BUFFER_SIZE(ret, size, len, offset); } |