@@ -1270,7 +1270,7 @@ print_firewall(const struct arpt_entry *fw,
sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));
else
sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));
- strcat(buf, mask_to_dotted(&(fw->arp.smsk)));
+ strncat(buf, mask_to_dotted(&(fw->arp.smsk)), sizeof(buf) - strlen(buf) -1);
printf("-s %s ", buf);
}
@@ -1294,7 +1294,7 @@ after_devsrc:
sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));
else
sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));
- strcat(buf, mask_to_dotted(&(fw->arp.tmsk)));
+ strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), sizeof(buf) - strlen(buf) -1);
printf("-d %s ", buf);
}
@@ -1796,7 +1796,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle)
*table, arptc_strerror(errno));
}
}
- }
+ }
memset(&fw, 0, sizeof(fw));
opts = original_opts;
@@ -2064,7 +2064,8 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle)
target->t = fw_calloc(1, size);
target->t->u.target_size = size;
- strcpy(target->t->u.user.name, jumpto);
+ strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));
+ target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0';
/*
target->init(target->t, &fw.nfcache);
*/
@@ -209,8 +209,10 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)
h->counter_map = (void *)h
+ sizeof(STRUCT_TC_HANDLE)
+ size;
- strcpy(h->info.name, tablename);
- strcpy(h->entries.name, tablename);
+ strncpy(h->info.name, tablename, sizeof(h->info.name));
+ h->info.name[sizeof(h->info.name)-1] = '\0';
+ strncpy(h->entries.name, tablename, sizeof(h->entries.name));
+ h->entries.name[sizeof(h->entries.name)-1] = '\0';
return h;
}
@@ -357,8 +359,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev)
h->cache_chain_heads[h->cache_num_chains-1].end
= *prev;
- strcpy(h->cache_chain_heads[h->cache_num_chains].name,
- (const char *)GET_TARGET(e)->data);
+ strncpy(h->cache_chain_heads[h->cache_num_chains].name,
+ (const char *)GET_TARGET(e)->data, TABLE_MAXNAMELEN-1);
+ h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0';
h->cache_chain_heads[h->cache_num_chains].start
= (void *)e + e->next_offset;
h->cache_num_chains++;
@@ -368,8 +371,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev)
h->cache_chain_heads[h->cache_num_chains-1].end
= *prev;
- strcpy(h->cache_chain_heads[h->cache_num_chains].name,
- h->hooknames[builtin-1]);
+ strncpy(h->cache_chain_heads[h->cache_num_chains].name,
+ h->hooknames[builtin-1], TABLE_MAXNAMELEN-1);
+ h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0';
h->cache_chain_heads[h->cache_num_chains].start
= (void *)e;
h->cache_num_chains++;
From: Jaromír Končický <jkoncick@redhat.com> Error: STRING_OVERFLOW arptables-v0.0.4/arptables.c:1273: fixed_size_dest: You might overrun the 8192 byte fixed-size string "buf" by copying the return value of "mask_to_dotted(struct in_addr const *)" without checking the length. Error: STRING_OVERFLOW arptables-v0.0.4/arptables.c:1297: fixed_size_dest: You might overrun the 8192 byte fixed-size string "buf" by copying the return value of "mask_to_dotted(struct in_addr const *)" without checking the length. Error: STRING_OVERFLOW arptables-v0.0.4/libarptc/libarptc_incl.c:360: fixed_size_dest: You might overrun the 32 byte fixed-size string "(h->cache_chain_heads + h->cache_num_chains).name" by copying "arpt_get_target(e)->data" without checking the length. Error: STRING_OVERFLOW arptables-v0.0.4/libarptc/libarptc_incl.c:371: fixed_size_dest: You might overrun the 32 byte fixed-size string "(h->cache_chain_heads + h->cache_num_chains).name" by copying "h->hooknames[builtin - 1U]" without checking the length. Error: STRING_OVERFLOW arptables-v0.0.4/libarptc/libarptc_incl.c:213: fixed_size_dest: You might overrun the 32 byte fixed-size string "h->entries.name" by copying "tablename" without checking the length. arptables-v0.0.4/libarptc/libarptc_incl.c:213: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. Error: STRING_OVERFLOW arptables-v0.0.4/libarptc/libarptc_incl.c:212: fixed_size_dest: You might overrun the 32 byte fixed-size string "h->info.name" by copying "tablename" without checking the length. arptables-v0.0.4/libarptc/libarptc_incl.c:212: parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. Error: STRING_OVERFLOW arptables-v0.0.4/arptables.c:2065: fixed_size_dest: You might overrun the 30 byte fixed-size string "target->t->u.user.name" by copying "jumpto" without checking the length. --- userspace/arptables/arptables.c | 9 +++++---- userspace/arptables/libarptc/libarptc_incl.c | 16 ++++++++++------ 2 files changed, 15 insertions(+), 10 deletions(-)