iproute2: tc: potential buffer overflow
diff mbox series

Message ID 8fo.ZWfD.3kvedbSyU2M.1TQd9t@seznam.cz
State Changes Requested
Delegated to: stephen hemminger
Headers show
Series
  • iproute2: tc: potential buffer overflow
Related show

Commit Message

tomaspaukrt@email.cz Aug. 31, 2019, 1:13 p.m. UTC
Hi,

there are two potentially dangerous calls of strcpy function in the program "tc". In the attachment is a patch that fixes this issue.

Tomas

Comments

Stephen Hemminger Aug. 31, 2019, 3:37 p.m. UTC | #1
On Sat, 31 Aug 2019 15:13:27 +0200 (CEST)
<tomaspaukrt@email.cz> wrote:

> Hi,
> 
> there are two potentially dangerous calls of strcpy function in the program "tc". In the attachment is a patch that fixes this issue.
> 
> Tomas

This looks correct.

Please fix with strlcpy() instead; that is clearer.
Plus you can use XT_EXTENSION_MAX_NAMELEN here (optional).
tomaspaukrt@email.cz Sept. 7, 2019, 1:43 p.m. UTC | #2
The updated patch is in the attachment.

---------- Původní e-mail ----------
Od: Stephen Hemminger <stephen@networkplumber.org>
Komu: tomaspaukrt@email.cz
Datum: 31. 8. 2019 17:38:01
Předmět: Re: iproute2: tc: potential buffer overflow
On Sat, 31 Aug 2019 15:13:27 +0200 (CEST)
<tomaspaukrt@email.cz> wrote:

> Hi,
> 
> there are two potentially dangerous calls of strcpy function in the program "tc". In the attachment is a patch that fixes this issue.
> 
> Tomas

This looks correct.

Please fix with strlcpy() instead; that is clearer.
Plus you can use XT_EXTENSION_MAX_NAMELEN here (optional).

Patch
diff mbox series

diff --git a/tc/m_ipt.c b/tc/m_ipt.c
index cc95eab7..cb64380b 100644
--- a/tc/m_ipt.c
+++ b/tc/m_ipt.c
@@ -269,7 +269,8 @@  static int build_st(struct xtables_target *target, struct ipt_entry_target *t)
 		} else {
 			target->t = t;
 		}
-		strcpy(target->t->u.user.name, target->name);
+		strncpy(target->t->u.user.name, target->name,
+			sizeof(target->t->u.user.name) - 1);
 		return 0;
 	}
 
diff --git a/tc/m_xt_old.c b/tc/m_xt_old.c
index 6a4509a9..974ac496 100644
--- a/tc/m_xt_old.c
+++ b/tc/m_xt_old.c
@@ -177,7 +177,8 @@  build_st(struct xtables_target *target, struct xt_entry_target *t)
 	if (t == NULL) {
 		target->t = fw_calloc(1, size);
 		target->t->u.target_size = size;
-		strcpy(target->t->u.user.name, target->name);
+		strncpy(target->t->u.user.name, target->name,
+			sizeof(target->t->u.user.name) - 1);
 		set_revision(target->t->u.user.name, target->revision);
 
 		if (target->init != NULL)