xt_DNETMAP: fix a buffer overflow

prefix_str was only 16 bytes, but the largest emitted string could be
"255.255.255.255/32" (19 bytes).

xt_DNETMAP.c: In function "dnetmap_tg_check":
compat_xtables.h:46:22: warning: "%u" directive writing between 1 and 10
bytes into a region of size between 0 and 8 [-Wformat-overflow=]
 # define NIPQUAD_FMT "%u.%u.%u.%u"
xt_DNETMAP.c:296:2: note: "sprintf" output between 10 and 27 bytes into
a destination of size 16
  sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
   33 - ffs(~(ip_min ^ ip_max)));

diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c
index ec6177a0db70ea70d5ce8a514894fe9e601830d4..21bbab51b4af30635af52f42a4858771235a8e23 100644 (file)
--- a/extensions/xt_DNETMAP.c
+++ b/extensions/xt_DNETMAP.c
@@ -81,7 +81,7 @@ struct dnetmap_entry {
 
 struct dnetmap_prefix {
        struct nf_nat_range prefix;
-       char prefix_str[16];
+       char prefix_str[20];
 #ifdef CONFIG_PROC_FS
        char proc_str_data[20];
        char proc_str_stat[25];