From 103040a94970a52dde285a24f0fbb5193ea74d84 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jarom=C3=ADr=20Kon=C4=8Dick=C3=BD?= <jkoncick@redhat.com>

Date: Tue, 15 Oct 2013 21:55:52 +0200

Subject: [PATCH] fix potential buffer overflows reported by static analysis

(cherry picked from commit 8f586939999e039563fee6bca4685895067a2b77)

Signed-off-by: Phil Sutter <psutter@redhat.com>

---

 arptables.c              |  9 +++++----

 libarptc/libarptc_incl.c | 16 ++++++++++------

 2 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/arptables.c b/arptables.c

index 8ef445a4700c4..4da6fea980bb9 100644

--- a/arptables.c

+++ b/arptables.c

@@ -1270,7 +1270,7 @@ print_firewall(const struct arpt_entry *fw,

 			sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src)));

 		else

 			sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src)));

-		strcat(buf, mask_to_dotted(&(fw->arp.smsk)));

+		strncat(buf, mask_to_dotted(&(fw->arp.smsk)), sizeof(buf) - strlen(buf) -1);

 		printf("-s %s ", buf);

 	}

@@ -1294,7 +1294,7 @@ after_devsrc:

 			sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt)));

 		else

 			sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt)));

-		strcat(buf, mask_to_dotted(&(fw->arp.tmsk)));

+		strncat(buf, mask_to_dotted(&(fw->arp.tmsk)),  sizeof(buf) - strlen(buf) -1);

 		printf("-d %s ", buf);

 	}

@@ -1796,7 +1796,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle)

 				*table, arptc_strerror(errno));

 			}

 		}

-        }

+	}

 	memset(&fw, 0, sizeof(fw));

 	opts = original_opts;

@@ -2064,7 +2064,8 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle)

 				target->t = fw_calloc(1, size);

 				target->t->u.target_size = size;

-				strcpy(target->t->u.user.name, jumpto);

+				strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name));

+				target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0';

 /*

 				target->init(target->t, &fw.nfcache);

 */

diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c

index 2fa3d43576933..9c1aeac7ca3de 100644

--- a/libarptc/libarptc_incl.c

+++ b/libarptc/libarptc_incl.c

@@ -209,8 +209,10 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules)

 	h->counter_map = (void *)h

 		+ sizeof(STRUCT_TC_HANDLE)

 		+ size;

-	strcpy(h->info.name, tablename);

-	strcpy(h->entries.name, tablename);

+	strncpy(h->info.name, tablename, sizeof(h->info.name));

+	h->info.name[sizeof(h->info.name)-1] = '\0';

+	strncpy(h->entries.name, tablename, sizeof(h->entries.name));

+	h->entries.name[sizeof(h->entries.name)-1] = '\0';

 	return h;

 }

@@ -357,8 +359,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev)

 		h->cache_chain_heads[h->cache_num_chains-1].end

 			= *prev;

-		strcpy(h->cache_chain_heads[h->cache_num_chains].name,

-		       (const char *)GET_TARGET(e)->data);

+		strncpy(h->cache_chain_heads[h->cache_num_chains].name,

+		       (const char *)GET_TARGET(e)->data, TABLE_MAXNAMELEN-1);

+		h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0';

 		h->cache_chain_heads[h->cache_num_chains].start

 			= (void *)e + e->next_offset;

 		h->cache_num_chains++;

@@ -368,8 +371,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev)

 			h->cache_chain_heads[h->cache_num_chains-1].end

 				= *prev;

-		strcpy(h->cache_chain_heads[h->cache_num_chains].name,

-		       h->hooknames[builtin-1]);

+		strncpy(h->cache_chain_heads[h->cache_num_chains].name,

+		       h->hooknames[builtin-1], TABLE_MAXNAMELEN-1);

+		h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0';

 		h->cache_chain_heads[h->cache_num_chains].start

 			= (void *)e;

 		h->cache_num_chains++;

-- 

2.21.0