From fb998eccee2030aabe249b1e7515050399e0304b Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Thu, 28 Dec 2017 19:17:34 +0100 Subject: data_reg: calm down compilation warning in nftnl_data_reg_value_json_parse() expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt Signed-off-by: Pablo Neira Ayuso --- src/expr/data_reg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 7023202..1b28b29 100644 --- a/src/expr/data_reg.c +++ b/src/expr/data_reg.c @@ -59,14 +59,15 @@ static int nftnl_data_reg_verdict_json_parse(union nftnl_data_reg *reg, json_t * static int nftnl_data_reg_value_json_parse(union nftnl_data_reg *reg, json_t *data, struct nftnl_parse_err *err) { - int i; - char node_name[6]; + char node_name[8] = {}; /* strlen("data256") + 1 == 8 */ + int ret, remain = sizeof(node_name), offset = 0, i; if (nftnl_jansson_parse_val(data, "len", NFTNL_TYPE_U8, ®->len, err) < 0) return DATA_NONE; for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) { - sprintf(node_name, "data%d", i); + ret = snprintf(node_name, sizeof(node_name), "data%u", i); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); if (nftnl_jansson_str2num(data, node_name, BASE_HEX, ®->val[i], NFTNL_TYPE_U32, err) != 0) -- cgit v1.2.3