In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
copying its content into 'error_name' field of struct xt_error_target
which is two bytes shorter may overflow. Make sure this doesn't happen
by using strncpy() and set the last byte to zero.
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
libiptc/libiptc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 7c3cb9e7cf076..9ecec581e119e 100644
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1150,7 +1150,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
strcpy(head->name.target.u.user.name, ERROR_TARGET);
head->name.target.u.target_size =
ALIGN(sizeof(struct xt_error_target));
- strcpy(head->name.errorname, c->name);
+ strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN);
+ head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0';
} else {
repl->hook_entry[c->hooknum-1] = c->head_offset;
repl->underflow[c->hooknum-1] = c->foot_offset;
--
2.19.0
