datatype: fix missing nul-terminated string in string_type_print

Thomas Berger reported that he is seeing garbage after valid string
values, eg.

fwtest01 ~ # nft -i
nft> table filter
nft> add chain filter input
nft> add rule filter input meta iifname "lo" accept
nft> list table filter
table ip filter {
        chain input {
                 meta iifname "lo�.�" accept
        }
...

The buffer that is allocated in the stack does not include room to
nul-terminate the string accordingly. This patch fixes bugzilla
report #872:

https://bugzilla.netfilter.org/show_bug.cgi?id=872

Reported-by: Thomas Berger <loki@lokis-chaos.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/datatype.c b/src/datatype.c
index 4c5a70f2e9161ebadbc7d794b57ccbfe924e3b07..2e5788dc8a6aa8ca8093032ab3fbe97b7f6bdb74 100644 (file)
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -256,9 +256,10 @@ const struct datatype integer_type = {
 static void string_type_print(const struct expr *expr)
 {
        unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
-       char data[len];
+       char data[len+1];
 
        mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
+       data[len] = '\0';
        printf("\"%s\"", data);
 }