diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-12-21 17:37:46 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2022-12-21 17:40:19 +0100 |
commit | 9967911e3dabb32901617e81e56602af3b37287f (patch) | |
tree | 0908df548cf8eeaaa70e08da30dbca1dc77dea2f | |
parent | 2606db33878c4cf620d29acdebb4be9e310c10cd (diff) |
owner: Fix potential array out of bounds access
If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
return 'sizeof(tmp)'. Using this value as index is illegal.
Original update from Phil, for the conntrack-tools tree, which also has
a copy of this function.
Fixes: 6d085b22a8b5 ("table: support for the table owner flag")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | src/owner.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/owner.c b/src/owner.c index 2d98a2e9..20bed38b 100644 --- a/src/owner.c +++ b/src/owner.c @@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode) continue; rl = readlink(procname, tmp, sizeof(tmp)); - if (rl <= 0 || rl > (ssize_t)sizeof(tmp)) + if (rl <= 0 || rl >= (ssize_t)sizeof(tmp)) continue; tmp[rl] = 0; |