Blame SOURCES/libiptc-NULL-terminate-errorname.patch

43df5c
From 9dfd443c3828a3e9a3cf5cf2afb9f0324bacb19a Mon Sep 17 00:00:00 2001
43df5c
From: Phil Sutter <psutter@redhat.com>
43df5c
Date: Fri, 15 Mar 2019 17:51:28 +0100
43df5c
Subject: [PATCH] libiptc: NULL-terminate errorname
43df5c
43df5c
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1525980
43df5c
Upstream Status: iptables commit a76ba54e28337
43df5c
43df5c
commit a76ba54e2833761c46fd57cbe2486cbc38686717
43df5c
Author: Phil Sutter <phil@nwl.cc>
43df5c
Date:   Mon Sep 24 19:25:22 2018 +0200
43df5c
43df5c
    libiptc: NULL-terminate errorname
43df5c
43df5c
    In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
43df5c
    copying its content into 'error_name' field of struct xt_error_target
43df5c
    which is two bytes shorter may overflow. Make sure this doesn't happen
43df5c
    by using strncpy() and set the last byte to zero.
43df5c
43df5c
    Signed-off-by: Phil Sutter <phil@nwl.cc>
43df5c
    Signed-off-by: Florian Westphal <fw@strlen.de>
43df5c
43df5c
Signed-off-by: Phil Sutter <psutter@redhat.com>
43df5c
---
43df5c
 libiptc/libiptc.c | 3 ++-
43df5c
 1 file changed, 2 insertions(+), 1 deletion(-)
43df5c
43df5c
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
43df5c
index f6a9862ea9f4d..d2427c16a5254 100644
43df5c
--- a/libiptc/libiptc.c
43df5c
+++ b/libiptc/libiptc.c
43df5c
@@ -1149,7 +1149,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
43df5c
 		strcpy(head->name.target.u.user.name, ERROR_TARGET);
43df5c
 		head->name.target.u.target_size =
43df5c
 				ALIGN(sizeof(struct xt_error_target));
43df5c
-		strcpy(head->name.errorname, c->name);
43df5c
+		strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN);
43df5c
+		head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0';
43df5c
 	} else {
43df5c
 		repl->hook_entry[c->hooknum-1] = c->head_offset;
43df5c
 		repl->underflow[c->hooknum-1] = c->foot_offset;
43df5c
-- 
43df5c
2.21.0
43df5c