A static array was used to read data and to write information in
it without checking the limit of the array. The result was a buffer
overflow when the line was longer than 1024.
This patch now uses a allocated buffer to avoid the problem.
Signed-off-by: Eric Leblond <eric@xxxxxxxxx>
---
src/erec.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/erec.c b/src/erec.c
index 810e9bf..75a3f74 100644
--- a/src/erec.c
+++ b/src/erec.c
@@ -12,6 +12,7 @@
#include <stdio.h>
#include <string.h>
#include <stdarg.h>
+#include <stdlib.h>
#include <netlink.h>
#include <gmputil.h>
@@ -82,6 +83,7 @@ void erec_print(FILE *f, const struct error_record *erec)
const struct input_descriptor *indesc = loc->indesc, *tmp;
const char *line = NULL; /* silence gcc */
char buf[1024];
+ char *pbuf = NULL;
unsigned int i, end;
int l, ret;
@@ -141,17 +143,24 @@ void erec_print(FILE *f, const struct error_record *erec)
if (indesc->type != INDESC_INTERNAL)
fprintf(f, "%s\n", line);
- memset(buf, ' ', sizeof(buf));
end = 0;
for (l = erec->num_locations - 1; l >= 0; l--) {
loc = &erec->locations[l];
+ end = max(end, loc->last_column);
+ }
+ pbuf = malloc(end + 1);
+ if (pbuf == NULL)
+ return;
+ memset(pbuf, ' ', end + 1);
+ for (l = erec->num_locations - 1; l >= 0; l--) {
+ loc = &erec->locations[l];
for (i = loc->first_column ? loc->first_column - 1 : 0;
i < loc->last_column; i++)
- buf[i] = l ? '~' : '^';
- end = max(end, loc->last_column);
+ pbuf[i] = l ? '~' : '^';
}
- buf[end] = '\0';
- fprintf(f, "%s", buf);
+ pbuf[end] = '\0';
+ fprintf(f, "%s", pbuf);
+ free(pbuf);
}
fprintf(f, "\n");
}
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
