From 9dfd443c3828a3e9a3cf5cf2afb9f0324bacb19a Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 15 Mar 2019 17:51:28 +0100 Subject: [PATCH] libiptc: NULL-terminate errorname Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980 Upstream Status: iptables commit a76ba54e28337 commit a76ba54e2833761c46fd57cbe2486cbc38686717 Author: Phil Sutter Date: Mon Sep 24 19:25:22 2018 +0200 libiptc: NULL-terminate errorname In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence copying its content into 'error_name' field of struct xt_error_target which is two bytes shorter may overflow. Make sure this doesn't happen by using strncpy() and set the last byte to zero. Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal Signed-off-by: Phil Sutter --- libiptc/libiptc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c index f6a9862ea9f4d..d2427c16a5254 100644 --- a/libiptc/libiptc.c +++ b/libiptc/libiptc.c @@ -1149,7 +1149,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc strcpy(head->name.target.u.user.name, ERROR_TARGET); head->name.target.u.target_size = ALIGN(sizeof(struct xt_error_target)); - strcpy(head->name.errorname, c->name); + strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN); + head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0'; } else { repl->hook_entry[c->hooknum-1] = c->head_offset; repl->underflow[c->hooknum-1] = c->foot_offset; -- 2.21.0