From 103040a94970a52dde285a24f0fbb5193ea74d84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jarom=C3=ADr=20Kon=C4=8Dick=C3=BD?= Date: Tue, 15 Oct 2013 21:55:52 +0200 Subject: [PATCH] fix potential buffer overflows reported by static analysis (cherry picked from commit 8f586939999e039563fee6bca4685895067a2b77) Signed-off-by: Phil Sutter --- arptables.c | 9 +++++---- libarptc/libarptc_incl.c | 16 ++++++++++------ 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/arptables.c b/arptables.c index 8ef445a4700c4..4da6fea980bb9 100644 --- a/arptables.c +++ b/arptables.c @@ -1270,7 +1270,7 @@ print_firewall(const struct arpt_entry *fw, sprintf(buf, "%s", addr_to_dotted(&(fw->arp.src))); else sprintf(buf, "%s", addr_to_anyname(&(fw->arp.src))); - strcat(buf, mask_to_dotted(&(fw->arp.smsk))); + strncat(buf, mask_to_dotted(&(fw->arp.smsk)), sizeof(buf) - strlen(buf) -1); printf("-s %s ", buf); } @@ -1294,7 +1294,7 @@ after_devsrc: sprintf(buf, "%s", addr_to_dotted(&(fw->arp.tgt))); else sprintf(buf, "%s", addr_to_anyname(&(fw->arp.tgt))); - strcat(buf, mask_to_dotted(&(fw->arp.tmsk))); + strncat(buf, mask_to_dotted(&(fw->arp.tmsk)), sizeof(buf) - strlen(buf) -1); printf("-d %s ", buf); } @@ -1796,7 +1796,7 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) *table, arptc_strerror(errno)); } } - } + } memset(&fw, 0, sizeof(fw)); opts = original_opts; @@ -2064,7 +2064,8 @@ int do_command(int argc, char *argv[], char **table, arptc_handle_t *handle) target->t = fw_calloc(1, size); target->t->u.target_size = size; - strcpy(target->t->u.user.name, jumpto); + strncpy(target->t->u.user.name, jumpto, sizeof(target->t->u.user.name)); + target->t->u.user.name[sizeof(target->t->u.user.name)-1] = '\0'; /* target->init(target->t, &fw.nfcache); */ diff --git a/libarptc/libarptc_incl.c b/libarptc/libarptc_incl.c index 2fa3d43576933..9c1aeac7ca3de 100644 --- a/libarptc/libarptc_incl.c +++ b/libarptc/libarptc_incl.c @@ -209,8 +209,10 @@ alloc_handle(const char *tablename, unsigned int size, unsigned int num_rules) h->counter_map = (void *)h + sizeof(STRUCT_TC_HANDLE) + size; - strcpy(h->info.name, tablename); - strcpy(h->entries.name, tablename); + strncpy(h->info.name, tablename, sizeof(h->info.name)); + h->info.name[sizeof(h->info.name)-1] = '\0'; + strncpy(h->entries.name, tablename, sizeof(h->entries.name)); + h->entries.name[sizeof(h->entries.name)-1] = '\0'; return h; } @@ -357,8 +359,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev) h->cache_chain_heads[h->cache_num_chains-1].end = *prev; - strcpy(h->cache_chain_heads[h->cache_num_chains].name, - (const char *)GET_TARGET(e)->data); + strncpy(h->cache_chain_heads[h->cache_num_chains].name, + (const char *)GET_TARGET(e)->data, TABLE_MAXNAMELEN-1); + h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0'; h->cache_chain_heads[h->cache_num_chains].start = (void *)e + e->next_offset; h->cache_num_chains++; @@ -368,8 +371,9 @@ add_chain(STRUCT_ENTRY *e, TC_HANDLE_T h, STRUCT_ENTRY **prev) h->cache_chain_heads[h->cache_num_chains-1].end = *prev; - strcpy(h->cache_chain_heads[h->cache_num_chains].name, - h->hooknames[builtin-1]); + strncpy(h->cache_chain_heads[h->cache_num_chains].name, + h->hooknames[builtin-1], TABLE_MAXNAMELEN-1); + h->cache_chain_heads[h->cache_num_chains].name[TABLE_MAXNAMELEN-1] = '\0'; h->cache_chain_heads[h->cache_num_chains].start = (void *)e; h->cache_num_chains++; -- 2.21.0