Ana Rey <anarey@xxxxxxxxx> wrote:
> --- a/src/expr/target.c
> +++ b/src/expr/target.c
> @@ -42,8 +42,8 @@ nft_rule_expr_target_set(struct nft_rule_expr *e, uint16_t type,
>
> switch(type) {
> case NFT_EXPR_TG_NAME:
> - memcpy(tg->name, data, XT_EXTENSION_MAXNAMELEN);
> - tg->name[XT_EXTENSION_MAXNAMELEN-1] = '\0';
> + memcpy(tg->name, data, strlen(data));
This can overflow tg->name, since the size of the source
is tested instead of destination.
What about:
snprintf(tg->name, sizeof(tg->name), "%.*s", data_len, (const char *) data);
?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
