erec: fix buffer overflow

A static array was used to read data and to write information in
it without checking the limit of the array. The result was a buffer
overflow when the line was longer than 1024.

This patch now uses a allocated buffer to avoid the problem.

Signed-off-by: Eric Leblond <eric@regit.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/erec.c b/src/erec.c
index 810e9bfdf41a75514990dabbccfb34325f9ec73d..8abed4d94f20e500ae01b1e8d8c9c20dd1fb917c 100644 (file)
--- a/src/erec.c
+++ b/src/erec.c
@@ -12,6 +12,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <stdlib.h>
 
 #include <netlink.h>
 #include <gmputil.h>
@@ -82,6 +83,7 @@ void erec_print(FILE *f, const struct error_record *erec)
        const struct input_descriptor *indesc = loc->indesc, *tmp;
        const char *line = NULL; /* silence gcc */
        char buf[1024];
+       char *pbuf = NULL;
        unsigned int i, end;
        int l, ret;
 
@@ -141,17 +143,22 @@ void erec_print(FILE *f, const struct error_record *erec)
                if (indesc->type != INDESC_INTERNAL)
                        fprintf(f, "%s\n", line);
 
-               memset(buf, ' ', sizeof(buf));
                end = 0;
+               for (l = erec->num_locations - 1; l >= 0; l--) {
+                       loc = &erec->locations[l];
+                       end = max(end, loc->last_column);
+               }
+               pbuf = xmalloc(end + 1);
+               memset(pbuf, ' ', end + 1);
                for (l = erec->num_locations - 1; l >= 0; l--) {
                        loc = &erec->locations[l];
                        for (i = loc->first_column ? loc->first_column - 1 : 0;
                             i < loc->last_column; i++)
-                               buf[i] = l ? '~' : '^';
-                       end = max(end, loc->last_column);
+                               pbuf[i] = l ? '~' : '^';
                }
-               buf[end] = '\0';
-               fprintf(f, "%s", buf);
+               pbuf[end] = '\0';
+               fprintf(f, "%s", pbuf);
+               xfree(pbuf);
        }
        fprintf(f, "\n");
 }