These functions contain code which occurs in legacy's print_firewall() functions, so use them there. Rename them to at least make clear they print more than a single address. Also introduce ipv{4,6}_addr_to_string() which take care of converting an address/netmask pair into string representation in a way which doesn't upset covscan (since that didn't detect that 'buf' may not be exceeded by the strings written into it. Signed-off-by: Phil Sutter <phil@xxxxxx> --- iptables/ip6tables.c | 27 +----------------- iptables/iptables.c | 25 +---------------- iptables/nft-ipv4.c | 32 +-------------------- iptables/nft-ipv6.c | 39 +------------------------- iptables/xshared.c | 66 ++++++++++++++++++++++++++++++++++++++++++++ iptables/xshared.h | 3 ++ 6 files changed, 73 insertions(+), 119 deletions(-) diff --git a/iptables/ip6tables.c b/iptables/ip6tables.c index 3bd1e5fade785..f5f73fe319595 100644 --- a/iptables/ip6tables.c +++ b/iptables/ip6tables.c @@ -550,7 +550,6 @@ print_firewall(const struct ip6t_entry *fw, { struct xtables_target *target, *tg; const struct xt_entry_target *t; - char buf[BUFSIZ]; if (!ip6tc_is_chain(targname, handle)) target = xtables_find_target(targname, XTF_TRY_LOAD); @@ -618,31 +617,7 @@ print_firewall(const struct ip6t_entry *fw, printf(FMT("%-6s ","out %s "), iface); } - fputc(fw->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); - if (!memcmp(&fw->ipv6.smsk, &in6addr_any, sizeof in6addr_any) - && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","%s "), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.src)); - else - strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.src)); - strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.smsk)); - printf(FMT("%-19s ","%s "), buf); - } - - fputc(fw->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); - if (!memcmp(&fw->ipv6.dmsk, &in6addr_any, sizeof in6addr_any) - && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","-> %s"), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, xtables_ip6addr_to_numeric(&fw->ipv6.dst)); - else - strcpy(buf, xtables_ip6addr_to_anyname(&fw->ipv6.dst)); - strcat(buf, xtables_ip6mask_to_numeric(&fw->ipv6.dmsk)); - printf(FMT("%-19s ","-> %s"), buf); - } + print_ipv6_addresses(fw, format); if (format & FMT_NOTABLE) fputs(" ", stdout); diff --git a/iptables/iptables.c b/iptables/iptables.c index 428fae4edb463..31cb97b2ee7fa 100644 --- a/iptables/iptables.c +++ b/iptables/iptables.c @@ -535,7 +535,6 @@ print_firewall(const struct ipt_entry *fw, struct xtables_target *target, *tg; const struct xt_entry_target *t; uint8_t flags; - char buf[BUFSIZ]; if (!iptc_is_chain(targname, handle)) target = xtables_find_target(targname, XTF_TRY_LOAD); @@ -604,29 +603,7 @@ print_firewall(const struct ipt_entry *fw, printf(FMT("%-6s ","out %s "), iface); } - fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); - if (fw->ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","%s "), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.src)); - else - strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.src)); - strcat(buf, xtables_ipmask_to_numeric(&fw->ip.smsk)); - printf(FMT("%-19s ","%s "), buf); - } - - fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); - if (fw->ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","-> %s"), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, xtables_ipaddr_to_numeric(&fw->ip.dst)); - else - strcpy(buf, xtables_ipaddr_to_anyname(&fw->ip.dst)); - strcat(buf, xtables_ipmask_to_numeric(&fw->ip.dmsk)); - printf(FMT("%-19s ","-> %s"), buf); - } + print_ipv4_addresses(fw, format); if (format & FMT_NOTABLE) fputs(" ", stdout); diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c index 2d1bd10e30aaa..20ed9428425dd 100644 --- a/iptables/nft-ipv4.c +++ b/iptables/nft-ipv4.c @@ -255,36 +255,6 @@ static void nft_ipv4_parse_immediate(const char *jumpto, bool nft_goto, cs->fw.ip.flags |= IPT_F_GOTO; } -static void print_ipv4_addr(const struct iptables_command_state *cs, - unsigned int format) -{ - char buf[BUFSIZ]; - - fputc(cs->fw.ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); - if (cs->fw.ip.smsk.s_addr == 0L && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","%s "), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, xtables_ipaddr_to_numeric(&cs->fw.ip.src)); - else - strcpy(buf, xtables_ipaddr_to_anyname(&cs->fw.ip.src)); - strcat(buf, xtables_ipmask_to_numeric(&cs->fw.ip.smsk)); - printf(FMT("%-19s ","%s "), buf); - } - - fputc(cs->fw.ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); - if (cs->fw.ip.dmsk.s_addr == 0L && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","-> %s"), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, xtables_ipaddr_to_numeric(&cs->fw.ip.dst)); - else - strcpy(buf, xtables_ipaddr_to_anyname(&cs->fw.ip.dst)); - strcat(buf, xtables_ipmask_to_numeric(&cs->fw.ip.dmsk)); - printf(FMT("%-19s ","-> %s"), buf); - } -} - static void print_fragment(unsigned int flags, unsigned int invflags, unsigned int format) { @@ -310,7 +280,7 @@ static void nft_ipv4_print_rule(struct nftnl_rule *r, unsigned int num, print_fragment(cs.fw.ip.flags, cs.fw.ip.invflags, format); print_ifaces(cs.fw.ip.iniface, cs.fw.ip.outiface, cs.fw.ip.invflags, format); - print_ipv4_addr(&cs, format); + print_ipv4_addresses(&cs.fw, format); if (format & FMT_NOTABLE) fputs(" ", stdout); diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c index b1b20ba18d868..1952164e199b9 100644 --- a/iptables/nft-ipv6.c +++ b/iptables/nft-ipv6.c @@ -191,43 +191,6 @@ static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto, cs->fw6.ipv6.flags |= IP6T_F_GOTO; } -static void print_ipv6_addr(const struct iptables_command_state *cs, - unsigned int format) -{ - char buf[BUFSIZ]; - - fputc(cs->fw6.ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); - if (IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.src) - && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","%s "), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, - xtables_ip6addr_to_numeric(&cs->fw6.ipv6.src)); - else - strcpy(buf, - xtables_ip6addr_to_anyname(&cs->fw6.ipv6.src)); - strcat(buf, xtables_ip6mask_to_numeric(&cs->fw6.ipv6.smsk)); - printf(FMT("%-19s ","%s "), buf); - } - - - fputc(cs->fw6.ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); - if (IN6_IS_ADDR_UNSPECIFIED(&cs->fw6.ipv6.dst) - && !(format & FMT_NUMERIC)) - printf(FMT("%-19s ","-> %s"), "anywhere"); - else { - if (format & FMT_NUMERIC) - strcpy(buf, - xtables_ip6addr_to_numeric(&cs->fw6.ipv6.dst)); - else - strcpy(buf, - xtables_ip6addr_to_anyname(&cs->fw6.ipv6.dst)); - strcat(buf, xtables_ip6mask_to_numeric(&cs->fw6.ipv6.dmsk)); - printf(FMT("%-19s ","-> %s"), buf); - } -} - static void nft_ipv6_print_rule(struct nftnl_rule *r, unsigned int num, unsigned int format) { @@ -245,7 +208,7 @@ static void nft_ipv6_print_rule(struct nftnl_rule *r, unsigned int num, } print_ifaces(cs.fw6.ipv6.iniface, cs.fw6.ipv6.outiface, cs.fw6.ipv6.invflags, format); - print_ipv6_addr(&cs, format); + print_ipv6_addresses(&cs.fw6, format); if (format & FMT_NOTABLE) fputs(" ", stdout); diff --git a/iptables/xshared.c b/iptables/xshared.c index 492e008737956..d30e723254570 100644 --- a/iptables/xshared.c +++ b/iptables/xshared.c @@ -502,3 +502,69 @@ void add_param_to_argv(char *parsestart, int line) param_len = 0; } } + +static const char *ipv4_addr_to_string(const struct in_addr *addr, + const struct in_addr *mask, + unsigned int format) +{ + static char buf[BUFSIZ]; + + if (!mask->s_addr && !(format & FMT_NUMERIC)) + return "anywhere"; + + if (format & FMT_NUMERIC) + strncpy(buf, xtables_ipaddr_to_numeric(addr), BUFSIZ - 1); + else + strncpy(buf, xtables_ipaddr_to_anyname(addr), BUFSIZ - 1); + buf[BUFSIZ - 1] = '\0'; + + strncat(buf, xtables_ipmask_to_numeric(mask), + BUFSIZ - strlen(buf) - 1); + + return buf; +} + +void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format) +{ + fputc(fw->ip.invflags & IPT_INV_SRCIP ? '!' : ' ', stdout); + printf(FMT("%-19s ", "%s "), + ipv4_addr_to_string(&fw->ip.src, &fw->ip.smsk, format)); + + fputc(fw->ip.invflags & IPT_INV_DSTIP ? '!' : ' ', stdout); + printf(FMT("%-19s ", "-> %s"), + ipv4_addr_to_string(&fw->ip.dst, &fw->ip.dmsk, format)); +} + +static const char *ipv6_addr_to_string(const struct in6_addr *addr, + const struct in6_addr *mask, + unsigned int format) +{ + static char buf[BUFSIZ]; + + if (IN6_IS_ADDR_UNSPECIFIED(addr) && !(format & FMT_NUMERIC)) + return "anywhere"; + + if (format & FMT_NUMERIC) + strncpy(buf, xtables_ip6addr_to_numeric(addr), BUFSIZ - 1); + else + strncpy(buf, xtables_ip6addr_to_anyname(addr), BUFSIZ - 1); + buf[BUFSIZ - 1] = '\0'; + + strncat(buf, xtables_ip6mask_to_numeric(mask), + BUFSIZ - strlen(buf) - 1); + + return buf; +} + +void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format) +{ + fputc(fw6->ipv6.invflags & IP6T_INV_SRCIP ? '!' : ' ', stdout); + printf(FMT("%-19s ", "%s "), + ipv6_addr_to_string(&fw6->ipv6.src, + &fw6->ipv6.smsk, format)); + + fputc(fw6->ipv6.invflags & IP6T_INV_DSTIP ? '!' : ' ', stdout); + printf(FMT("%-19s ", "-> %s"), + ipv6_addr_to_string(&fw6->ipv6.dst, + &fw6->ipv6.dmsk, format)); +} diff --git a/iptables/xshared.h b/iptables/xshared.h index 801d0f7564dc4..cb6f761d8afa1 100644 --- a/iptables/xshared.h +++ b/iptables/xshared.h @@ -168,4 +168,7 @@ void free_argv(void); void save_argv(void); void add_param_to_argv(char *parsestart, int line); +void print_ipv4_addresses(const struct ipt_entry *fw, unsigned int format); +void print_ipv6_addresses(const struct ip6t_entry *fw6, unsigned int format); + #endif /* IPTABLES_XSHARED_H */ -- 2.18.0