From 1874fcd519eb5332b63bddcd76fadae9a8260798 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 15 Jun 2017 12:15:48 +0200 Subject: [PATCH] xt_DNETMAP: fix a buffer overflow prefix_str was only 16 bytes, but the largest emitted string could be "255.255.255.255/32" (19 bytes). xt_DNETMAP.c: In function "dnetmap_tg_check": compat_xtables.h:46:22: warning: "%u" directive writing between 1 and 10 bytes into a region of size between 0 and 8 [-Wformat-overflow=] # define NIPQUAD_FMT "%u.%u.%u.%u" xt_DNETMAP.c:296:2: note: "sprintf" output between 10 and 27 bytes into a destination of size 16 sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip), 33 - ffs(~(ip_min ^ ip_max))); --- extensions/xt_DNETMAP.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c index ec6177a..21bbab5 100644 --- a/extensions/xt_DNETMAP.c +++ b/extensions/xt_DNETMAP.c @@ -81,7 +81,7 @@ struct dnetmap_entry { struct dnetmap_prefix { struct nf_nat_range prefix; - char prefix_str[16]; + char prefix_str[20]; #ifdef CONFIG_PROC_FS char proc_str_data[20]; char proc_str_stat[25];