libxt_conntrack: Avoid potential buffer overrun

In print_addr(), a resolved hostname is written into a buffer without
size check. Since BUFSIZ is typically 8192 bytes, this shouldn't be an
issue, though covscan complained about it. Fix the code by using
conntrack_dump_addr() as an example.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/extensions/libxt_conntrack.c b/extensions/libxt_conntrack.c
index f1bc8f453092bb341694ac734e8f91771f767756..daa8c15a5fabf76b5b92e98965345a794cdddc9b 100644 (file)
--- a/extensions/libxt_conntrack.c
+++ b/extensions/libxt_conntrack.c
@@ -673,20 +673,20 @@ static void
 print_addr(const struct in_addr *addr, const struct in_addr *mask,
            int inv, int numeric)
 {
-       char buf[BUFSIZ];
-
        if (inv)
                printf(" !");
 
        if (mask->s_addr == 0L && !numeric)
-               printf(" %s", "anywhere");
+               printf(" anywhere");
        else {
                if (numeric)
-                       strcpy(buf, xtables_ipaddr_to_numeric(addr));
+                       printf(" %s%s",
+                              xtables_ipaddr_to_numeric(addr),
+                              xtables_ipmask_to_numeric(mask));
                else
-                       strcpy(buf, xtables_ipaddr_to_anyname(addr));
-               strcat(buf, xtables_ipmask_to_numeric(mask));
-               printf(" %s", buf);
+                       printf(" %s%s",
+                              xtables_ipaddr_to_anyname(addr),
+                              xtables_ipmask_to_numeric(mask));
        }
 }