diff options
| author | Phil Sutter <phil@nwl.cc> | 2018-09-24 19:25:22 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2018-09-25 16:26:20 +0200 |
| commit | a76ba54e2833761c46fd57cbe2486cbc38686717 (patch) | |
| tree | f0d66236a18e7e85eb4646496d34250220936242 | |
| parent | a3716cc1a501e40e26a96d78b2e1285bb081f366 (diff) | |
libiptc: NULL-terminate errorname
In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
copying its content into 'error_name' field of struct xt_error_target
which is two bytes shorter may overflow. Make sure this doesn't happen
by using strncpy() and set the last byte to zero.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
| -rw-r--r-- | libiptc/libiptc.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index 7c3cb9e7..9ecec581 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -1150,7 +1150,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc strcpy(head->name.target.u.user.name, ERROR_TARGET); head->name.target.u.target_size = ALIGN(sizeof(struct xt_error_target)); - strcpy(head->name.errorname, c->name); + strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN); + head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0'; } else { repl->hook_entry[c->hooknum-1] = c->head_offset; repl->underflow[c->hooknum-1] = c->foot_offset; |