expr/data_reg.c: In function 'nftnl_data_reg_json_parse':
expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=]
sprintf(node_name, "data%d", i);
^~
expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647]
sprintf(node_name, "data%d", i);
Buffer overflow is triggerable when reg->len > 396, but len never goes
over 128 due to type validation just a bit before.
Use snprintf() and make sure buffer is large enough to store the
"data256" string.
Reported-by: Jan Engelhardt <jengelh@xxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
src/expr/data_reg.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c
index 70232028869a..1f689c5b6c7b 100644
--- a/src/expr/data_reg.c
+++ b/src/expr/data_reg.c
@@ -59,14 +59,15 @@ static int nftnl_data_reg_verdict_json_parse(union nftnl_data_reg *reg, json_t *
static int nftnl_data_reg_value_json_parse(union nftnl_data_reg *reg, json_t *data,
struct nftnl_parse_err *err)
{
- int i;
- char node_name[6];
+ char node_name[strlen("data256") + 1] = {};
+ int ret, remain = size, offset = 0, i;
if (nftnl_jansson_parse_val(data, "len", NFTNL_TYPE_U8, ®->len, err) < 0)
return DATA_NONE;
for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) {
- sprintf(node_name, "data%d", i);
+ ret = snprintf(node_name, sizeof(node_name), "data%u", i);
+ SNPRINTF_BUFFER_SIZE(ret, remain, offset);
if (nftnl_jansson_str2num(data, node_name, BASE_HEX,
®->val[i], NFTNL_TYPE_U32, err) != 0)
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
