From a76ba54e2833761c46fd57cbe2486cbc38686717 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Mon, 24 Sep 2018 19:25:22 +0200
Subject: libiptc: NULL-terminate errorname

In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
copying its content into 'error_name' field of struct xt_error_target
which is two bytes shorter may overflow. Make sure this doesn't happen
by using strncpy() and set the last byte to zero.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 libiptc/libiptc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'libiptc/libiptc.c')

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 7c3cb9e7..9ecec581 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1150,7 +1150,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
 		strcpy(head->name.target.u.user.name, ERROR_TARGET);
 		head->name.target.u.target_size =
 				ALIGN(sizeof(struct xt_error_target));
-		strcpy(head->name.errorname, c->name);
+		strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN);
+		head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0';
 	} else {
 		repl->hook_entry[c->hooknum-1] = c->head_offset;
 		repl->underflow[c->hooknum-1] = c->foot_offset;
-- 
cgit v1.2.3