@@ -59,14 +59,15 @@ static int nftnl_data_reg_verdict_json_parse(union nftnl_data_reg *reg, json_t *
static int nftnl_data_reg_value_json_parse(union nftnl_data_reg *reg, json_t *data,
struct nftnl_parse_err *err)
{
- int i;
- char node_name[6];
+ char node_name[strlen("data256") + 1] = {};
+ int ret, remain = size, offset = 0, i;
if (nftnl_jansson_parse_val(data, "len", NFTNL_TYPE_U8, ®->len, err) < 0)
return DATA_NONE;
for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
- sprintf(node_name, "data%d", i);
+ ret = snprintf(node_name, sizeof(node_name), "data%u", i);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
if (nftnl_jansson_str2num(data, node_name, BASE_HEX,
®->val[i], NFTNL_TYPE_U32, err) != 0)
expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- src/expr/data_reg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)