libiptc: NULL-terminate errorname

In struct chain_head, field 'name' is of size TABLE_MAXNAMELEN, hence
copying its content into 'error_name' field of struct xt_error_target
which is two bytes shorter may overflow. Make sure this doesn't happen
by using strncpy() and set the last byte to zero.

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/libiptc/libiptc.c b/libiptc/libiptc.c
index 7c3cb9e7cf0768daf9a56b3b0b61be20ea18a86a..9ecec581e119ed9e18c0264472bb1d961983b6a5 100644 (file)
--- a/libiptc/libiptc.c
+++ b/libiptc/libiptc.c
@@ -1150,7 +1150,8 @@ static int iptcc_compile_chain(struct xtc_handle *h, STRUCT_REPLACE *repl, struc
                strcpy(head->name.target.u.user.name, ERROR_TARGET);
                head->name.target.u.target_size =
                                ALIGN(sizeof(struct xt_error_target));
-               strcpy(head->name.errorname, c->name);
+               strncpy(head->name.errorname, c->name, XT_FUNCTION_MAXNAMELEN);
+               head->name.errorname[XT_FUNCTION_MAXNAMELEN - 1] = '\0';
        } else {
                repl->hook_entry[c->hooknum-1] = c->head_offset;
                repl->underflow[c->hooknum-1] = c->foot_offset;