diff mbox

[nftables,1/3] erec: fix buffer overflow

Message ID 1435132311-31452-2-git-send-email-eric@regit.org
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Eric Leblond June 24, 2015, 7:51 a.m. UTC 
A static array was used to read data and to write information in
it without checking the limit of the array. The result was a buffer
overflow when the line was longer than 1024.

This patch now uses a allocated buffer to avoid the problem.

Signed-off-by: Eric Leblond <eric@regit.org>
---
 src/erec.c | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

Comments

Pablo Neira Ayuso June 30, 2015, 12:03 a.m. UTC | #1 
On Wed, Jun 24, 2015 at 09:51:49AM +0200, Eric Leblond wrote:
> A static array was used to read data and to write information in
> it without checking the limit of the array. The result was a buffer
> overflow when the line was longer than 1024.
> 
> This patch now uses a allocated buffer to avoid the problem.

Applied, thanks Eric.

I have replaced malloc and free by xmalloc and xfree respectively.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/src/erec.c b/src/erec.c
index 810e9bf..75a3f74 100644
--- a/src/erec.c
+++ b/src/erec.c
@@ -12,6 +12,7 @@ 
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <stdlib.h>
 
 #include <netlink.h>
 #include <gmputil.h>
@@ -82,6 +83,7 @@  void erec_print(FILE *f, const struct error_record *erec)
 	const struct input_descriptor *indesc = loc->indesc, *tmp;
 	const char *line = NULL; /* silence gcc */
 	char buf[1024];
+	char *pbuf = NULL;
 	unsigned int i, end;
 	int l, ret;
 
@@ -141,17 +143,24 @@  void erec_print(FILE *f, const struct error_record *erec)
 		if (indesc->type != INDESC_INTERNAL)
 			fprintf(f, "%s\n", line);
 
-		memset(buf, ' ', sizeof(buf));
 		end = 0;
 		for (l = erec->num_locations - 1; l >= 0; l--) {
 			loc = &erec->locations[l];
+			end = max(end, loc->last_column);
+		}
+		pbuf = malloc(end + 1);
+		if (pbuf == NULL)
+			return;
+		memset(pbuf, ' ', end + 1);
+		for (l = erec->num_locations - 1; l >= 0; l--) {
+			loc = &erec->locations[l];
 			for (i = loc->first_column ? loc->first_column - 1 : 0;
 			     i < loc->last_column; i++)
-				buf[i] = l ? '~' : '^';
-			end = max(end, loc->last_column);
+				pbuf[i] = l ? '~' : '^';
 		}
-		buf[end] = '\0';
-		fprintf(f, "%s", buf);
+		pbuf[end] = '\0';
+		fprintf(f, "%s", pbuf);
+		free(pbuf);
 	}
 	fprintf(f, "\n");
 }