summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2017-12-28 19:17:34 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2017-12-28 19:42:38 +0100
commitfb998eccee2030aabe249b1e7515050399e0304b (patch)
treed8397c78a214ffaa9f1d277c833d2492fd2fbff3
parent57f85977ed72ee3d623bbc2391d503f8a7e72c5d (diff)
data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse()
expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r--src/expr/data_reg.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 7023202..1b28b29 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -59,14 +59,15 @@ static int nftnl_data_reg_verdict_json_parse(union nftnl_data_reg *reg, json_t *
static int nftnl_data_reg_value_json_parse(union nftnl_data_reg *reg, json_t *data,
struct nftnl_parse_err *err)
{
- int i;
- char node_name[6];
+ char node_name[8] = {}; /* strlen("data256") + 1 == 8 */
+ int ret, remain = sizeof(node_name), offset = 0, i;
if (nftnl_jansson_parse_val(data, "len", NFTNL_TYPE_U8, &reg->len, err) < 0)
return DATA_NONE;
for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
- sprintf(node_name, "data%d", i);
+ ret = snprintf(node_name, sizeof(node_name), "data%u", i);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
if (nftnl_jansson_str2num(data, node_name, BASE_HEX,
&reg->val[i], NFTNL_TYPE_U32, err) != 0)