snprintf: perform strict checking for the protocol state value

This patch avoids possible out-of-bound array access if protocol
states higher than the accepted are used.

Reported-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 9 insertions, 3 deletions

diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c
index 17e0cd4..aa9a9ec 100644
--- a/src/conntrack/snprintf_xml.c
+++ b/src/conntrack/snprintf_xml.c
@@ -303,19 +303,25 @@ int __snprintf_conntrack_xml(char *buf,
 
 	if (test_bit(ATTR_TCP_STATE, ct->set)) {
 		ret = snprintf(buf+offset, len, "<state>%s</state>",
-			       states[ct->protoinfo.tcp.state]);
+			       ct->protoinfo.tcp.state < TCP_CONNTRACK_MAX ?
+			       states[ct->protoinfo.tcp.state] :
+			       states[TCP_CONNTRACK_NONE]);
 		BUFFER_SIZE(ret, size, len, offset);
 	}
 
 	if (test_bit(ATTR_SCTP_STATE, ct->set)) {
 		ret = snprintf(buf+offset, len, "<state>%s</state>",
-			       states[ct->protoinfo.sctp.state]);
+			       ct->protoinfo.sctp.state < SCTP_CONNTRACK_MAX ?
+			       states[ct->protoinfo.sctp.state] :
+			       states[SCTP_CONNTRACK_NONE]);
 		BUFFER_SIZE(ret, size, len, offset);
 	}
 
 	if (test_bit(ATTR_DCCP_STATE, ct->set)) {
 		ret = snprintf(buf+offset, len, "<state>%s</state>",
-			       states[ct->protoinfo.dccp.state]);
+			       ct->protoinfo.sctp.state < DCCP_CONNTRACK_MAX ?
+			       states[ct->protoinfo.dccp.state] :
+			       states[DCCP_CONNTRACK_NONE]);
 		BUFFER_SIZE(ret, size, len, offset);
 	}