From 3ba6d6c1ded320db0c0519bcf4cb270933e55c9a Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 30 May 2009 11:01:05 +0200
Subject: snprintf: perform strict checking for the protocol state value

This patch avoids possible out-of-bound array access if protocol
states higher than the accepted are used.

Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/conntrack/snprintf_default.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

(limited to 'src/conntrack/snprintf_default.c')

diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c
index 6eda16c..6749738 100644
--- a/src/conntrack/snprintf_default.c
+++ b/src/conntrack/snprintf_default.c
@@ -38,19 +38,28 @@ int __snprintf_protoinfo(char *buf,
 			 unsigned int len,
 			 const struct nf_conntrack *ct)
 {
-	return snprintf(buf, len, "%s ", states[ct->protoinfo.tcp.state]);
+	return snprintf(buf, len, "%s ",
+			ct->protoinfo.tcp.state < TCP_CONNTRACK_MAX ?
+			states[ct->protoinfo.tcp.state] :
+			states[TCP_CONNTRACK_NONE]);
 }
 int __snprintf_protoinfo_sctp(char *buf, 
 			      unsigned int len,
 			      const struct nf_conntrack *ct)
 {
-	return snprintf(buf, len, "%s ", sctp_states[ct->protoinfo.sctp.state]);
+	return snprintf(buf, len, "%s ",
+			ct->protoinfo.sctp.state < SCTP_CONNTRACK_MAX ?
+			sctp_states[ct->protoinfo.sctp.state] :
+			sctp_states[SCTP_CONNTRACK_NONE]);
 }
 int __snprintf_protoinfo_dccp(char *buf, 
 			      unsigned int len,
 			      const struct nf_conntrack *ct)
 {
-	return snprintf(buf, len, "%s ", dccp_states[ct->protoinfo.dccp.state]);
+	return snprintf(buf, len, "%s ",
+			ct->protoinfo.dccp.state < DCCP_CONNTRACK_MAX ?
+			sctp_states[ct->protoinfo.dccp.state] :
+			sctp_states[DCCP_CONNTRACK_NONE]);
 }
 
 int __snprintf_address_ipv4(char *buf,
-- 
cgit v1.2.3