From 3ba6d6c1ded320db0c0519bcf4cb270933e55c9a Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Sat, 30 May 2009 11:01:05 +0200 Subject: snprintf: perform strict checking for the protocol state value This patch avoids possible out-of-bound array access if protocol states higher than the accepted are used. Reported-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- src/conntrack/snprintf_default.c | 15 ++++++++++++--- src/conntrack/snprintf_xml.c | 12 +++++++++--- 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c index 6eda16c..6749738 100644 --- a/src/conntrack/snprintf_default.c +++ b/src/conntrack/snprintf_default.c @@ -38,19 +38,28 @@ int __snprintf_protoinfo(char *buf, unsigned int len, const struct nf_conntrack *ct) { - return snprintf(buf, len, "%s ", states[ct->protoinfo.tcp.state]); + return snprintf(buf, len, "%s ", + ct->protoinfo.tcp.state < TCP_CONNTRACK_MAX ? + states[ct->protoinfo.tcp.state] : + states[TCP_CONNTRACK_NONE]); } int __snprintf_protoinfo_sctp(char *buf, unsigned int len, const struct nf_conntrack *ct) { - return snprintf(buf, len, "%s ", sctp_states[ct->protoinfo.sctp.state]); + return snprintf(buf, len, "%s ", + ct->protoinfo.sctp.state < SCTP_CONNTRACK_MAX ? + sctp_states[ct->protoinfo.sctp.state] : + sctp_states[SCTP_CONNTRACK_NONE]); } int __snprintf_protoinfo_dccp(char *buf, unsigned int len, const struct nf_conntrack *ct) { - return snprintf(buf, len, "%s ", dccp_states[ct->protoinfo.dccp.state]); + return snprintf(buf, len, "%s ", + ct->protoinfo.dccp.state < DCCP_CONNTRACK_MAX ? + sctp_states[ct->protoinfo.dccp.state] : + sctp_states[DCCP_CONNTRACK_NONE]); } int __snprintf_address_ipv4(char *buf, diff --git a/src/conntrack/snprintf_xml.c b/src/conntrack/snprintf_xml.c index 17e0cd4..aa9a9ec 100644 --- a/src/conntrack/snprintf_xml.c +++ b/src/conntrack/snprintf_xml.c @@ -303,19 +303,25 @@ int __snprintf_conntrack_xml(char *buf, if (test_bit(ATTR_TCP_STATE, ct->set)) { ret = snprintf(buf+offset, len, "%s", - states[ct->protoinfo.tcp.state]); + ct->protoinfo.tcp.state < TCP_CONNTRACK_MAX ? + states[ct->protoinfo.tcp.state] : + states[TCP_CONNTRACK_NONE]); BUFFER_SIZE(ret, size, len, offset); } if (test_bit(ATTR_SCTP_STATE, ct->set)) { ret = snprintf(buf+offset, len, "%s", - states[ct->protoinfo.sctp.state]); + ct->protoinfo.sctp.state < SCTP_CONNTRACK_MAX ? + states[ct->protoinfo.sctp.state] : + states[SCTP_CONNTRACK_NONE]); BUFFER_SIZE(ret, size, len, offset); } if (test_bit(ATTR_DCCP_STATE, ct->set)) { ret = snprintf(buf+offset, len, "%s", - states[ct->protoinfo.dccp.state]); + ct->protoinfo.sctp.state < DCCP_CONNTRACK_MAX ? + states[ct->protoinfo.dccp.state] : + states[DCCP_CONNTRACK_NONE]); BUFFER_SIZE(ret, size, len, offset); } -- cgit v1.2.3