From 906facf31d1df1a1131b79ebaabe297ac242dd2f Mon Sep 17 00:00:00 2001 From: Michael Braun Date: Fri, 1 May 2020 17:48:16 +0200 Subject: main: fix ASAN -fsanitize=address error in get_optstring() nft list table bridge t ================================================================= ==28552==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5579c662e816 at pc 0x7fc2803246aa bp 0x7fff495c86f0 sp 0x7fff495c7ea0 WRITE of size 2 at 0x5579c662e816 thread T0 #0 0x7fc2803246a9 in vsprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) #1 0x7fc2803249f6 in __interceptor_sprintf (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x549f6) #2 0x5579c661e7d2 in get_optstring nftables/src/main.c:128 #3 0x5579c66202af in main nftables/src/main.c:315 #4 0x7fc27ea7b09a in __libc_start_main ../csu/libc-start.c:308 #5 0x5579c661e439 in _start (nftables/src/.libs/nft+0x9439) 0x5579c662e816 is located 0 bytes to the right of global variable 'optstring' defined in 'main.c:121:14' (0x5579c662e800) of size 22 0x5579c662e816 is located 42 bytes to the left of global variable 'options' defined in 'main.c:137:23' (0x5579c662e840) of size 672 SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x546a9) in vsprintf Shadow bytes around the buggy address: 0x0aafb8cbdcb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdcc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdcd0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aafb8cbdce0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdcf0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 =>0x0aafb8cbdd00: 00 00[06]f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0aafb8cbdd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aafb8cbdd50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28552==ABORTING Fixes: 719e44277f8e ("main: use one data-structure to initialize getopt_long(3) arguments and help.") Signed-of-by: Michael Braun Signed-off-by: Pablo Neira Ayuso --- src/main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/main.c b/src/main.c index 3dc6b62c..d213c601 100644 --- a/src/main.c +++ b/src/main.c @@ -124,10 +124,10 @@ static const char *get_optstring(void) size_t i, j; optstring[0] = '+'; - for (i = 0, j = 1; i < NR_NFT_OPTIONS; i++) - j += sprintf(optstring + j, "%c%s", - nft_options[i].val, - nft_options[i].arg ? ":" : ""); + for (i = 0, j = 1; i < NR_NFT_OPTIONS && j < sizeof(optstring); i++) + j += snprintf(optstring + j, sizeof(optstring) - j, "%c%s", + nft_options[i].val, + nft_options[i].arg ? ":" : ""); } return optstring; } -- cgit v1.2.3