From patchwork Sat Aug 31 13:13:27 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tomas Paukrt X-Patchwork-Id: 1156182 X-Patchwork-Delegate: shemminger@vyatta.com Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=email.cz Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=email.cz header.i=@email.cz header.b="bjgbhCcY"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 46LGxq45Ctz9s5b for ; Sat, 31 Aug 2019 23:13:35 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727177AbfHaNNc (ORCPT ); Sat, 31 Aug 2019 09:13:32 -0400 Received: from mxf1.seznam.cz ([77.75.78.123]:31670 "EHLO mxf1.seznam.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726516AbfHaNNc (ORCPT ); Sat, 31 Aug 2019 09:13:32 -0400 Received: from email.seznam.cz by email-smtpc9a.ko.seznam.cz (email-smtpc9a.ko.seznam.cz [10.53.11.15]) id 59263c19a7d28eb359a8b201; Sat, 31 Aug 2019 15:13:29 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=email.cz; s=beta; t=1567257209; bh=Y2btOxW4niJetCFjZRRvSjrI4LjhqTndw2H+culs3eE=; h=Received:From:To:Subject:Date:Message-Id:Mime-Version:X-Mailer: Content-Type; b=bjgbhCcYhQvdtiKBw9MNcnd+1SSXsVL4pre6rXfdo3fDwVhtxaIY8qZDLw6gTS6jK KIt+vH0ZjEB47nmqYxrqzLg0YlvE8bGjAdHHF7rKuEqtDRzNCWxPbsXFOsETZl9oXC mSZP5Tl/aAxRJ2kZ0SnzA5Kg7phOI41cWNYUW1m0= Received: from unknown ([::ffff:82.144.143.34]) by email.seznam.cz (szn-ebox-4.5.361) with HTTP; Sat, 31 Aug 2019 15:13:27 +0200 (CEST) From: To: Subject: iproute2: tc: potential buffer overflow Date: Sat, 31 Aug 2019 15:13:27 +0200 (CEST) Message-Id: <8fo.ZWfD.3kvedbSyU2M.1TQd9t@seznam.cz> Mime-Version: 1.0 (szn-mime-2.0.45) X-Mailer: szn-ebox-4.5.361 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Hi, there are two potentially dangerous calls of strcpy function in the program "tc". In the attachment is a patch that fixes this issue. Tomas diff --git a/tc/m_ipt.c b/tc/m_ipt.c index cc95eab7..cb64380b 100644 --- a/tc/m_ipt.c +++ b/tc/m_ipt.c @@ -269,7 +269,8 @@ static int build_st(struct xtables_target *target, struct ipt_entry_target *t) } else { target->t = t; } - strcpy(target->t->u.user.name, target->name); + strncpy(target->t->u.user.name, target->name, + sizeof(target->t->u.user.name) - 1); return 0; } diff --git a/tc/m_xt_old.c b/tc/m_xt_old.c index 6a4509a9..974ac496 100644 --- a/tc/m_xt_old.c +++ b/tc/m_xt_old.c @@ -177,7 +177,8 @@ build_st(struct xtables_target *target, struct xt_entry_target *t) if (t == NULL) { target->t = fw_calloc(1, size); target->t->u.target_size = size; - strcpy(target->t->u.user.name, target->name); + strncpy(target->t->u.user.name, target->name, + sizeof(target->t->u.user.name) - 1); set_revision(target->t->u.user.name, target->revision); if (target->init != NULL)