summaryrefslogtreecommitdiffstats
path: root/libiptc
diff options
context:
space:
mode:
authorPhil Sutter <phil@nwl.cc>2018-09-24 19:25:22 +0200
committerFlorian Westphal <fw@strlen.de>2018-09-25 16:26:20 +0200
commita76ba54e2833761c46fd57cbe2486cbc38686717 (patch)
treef0d66236a18e7e85eb4646496d34250220936242 /libiptc
parenta3716cc1a501e40e26a96d78b2e1285bb081f366 (diff)
libiptc: NULL-terminate errorname
In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence copying its content into 'error_name' field of struct xt_error_target which is two bytes shorter may overflow. Make sure this doesn't happen by using strncpy() and set the last byte to zero. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'libiptc')
-rw-r--r--libiptc/libiptc.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 7c3cb9e7..9ecec581 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1150,7 +1150,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
strcpy(head->name.target.u.user.name, ERROR_TARGET);
head->name.target.u.target_size =
ALIGN(sizeof(struct xt_error_target));
- strcpy(head->name.errorname, c->name);
+ strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN);
+ head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0';
} else {
repl->hook_entry[c->hooknum-1] = c->head_offset;
repl->underflow[c->hooknum-1] = c->foot_offset;