expr/data_reg.c: In function 'nftnl_data_reg_json_parse': expr/data_reg.c:69:27: warning: '%d' directive writing between 1 and 10 bytes into a region of size 2 [-Wformat-overflow=] sprintf(node_name, "data%d", i); ^~ expr/data_reg.c:69:22: note: directive argument in the range [0, 2147483647] sprintf(node_name, "data%d", i); Buffer overflow is triggerable when reg->len > 396, but len never goes over 128 due to type validation just a bit before. Use snprintf() and make sure buffer is large enough to store the "data256" string. Reported-by: Jan Engelhardt <jengelh@xxxxxxx> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> --- v2: Forgot to turn on --with-json-parsing when testing this. src/expr/data_reg.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 70232028869a..992ea2898958 100644 --- a/src/expr/data_reg.c +++ b/src/expr/data_reg.c @@ -59,14 +59,15 @@ static int nftnl_data_reg_verdict_json_parse(union nftnl_data_reg *reg, json_t * static int nftnl_data_reg_value_json_parse(union nftnl_data_reg *reg, json_t *data, struct nftnl_parse_err *err) { - int i; - char node_name[6]; + char node_name[8] = {}; /* strlen("data256") + 1 == 8 */ + int ret, remain = 8, offset = 0, i; if (nftnl_jansson_parse_val(data, "len", NFTNL_TYPE_U8, ®->len, err) < 0) return DATA_NONE; for (i = 0; i < div_round_up(reg->len, sizeof(uint32_t)); i++) { - sprintf(node_name, "data%d", i); + ret = snprintf(node_name, sizeof(node_name), "data%u", i); + SNPRINTF_BUFFER_SIZE(ret, remain, offset); if (nftnl_jansson_str2num(data, node_name, BASE_HEX, ®->val[i], NFTNL_TYPE_U32, err) != 0) -- 2.11.0 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html