From: Jan Engelhardt <jengelh@inai.de>
Date: Thu, 15 Jun 2017 10:15:48 +0000 (+0200)
Subject: xt_DNETMAP: fix a buffer overflow
X-Git-Tag: v2.13~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1874fcd519eb5332b63bddcd76fadae9a8260798;p=thirdparty%2Fxtables-addons.git

xt_DNETMAP: fix a buffer overflow

prefix_str was only 16 bytes, but the largest emitted string could be
"255.255.255.255/32" (19 bytes).

xt_DNETMAP.c: In function "dnetmap_tg_check":
compat_xtables.h:46:22: warning: "%u" directive writing between 1 and 10
bytes into a region of size between 0 and 8 [-Wformat-overflow=]
 # define NIPQUAD_FMT "%u.%u.%u.%u"
xt_DNETMAP.c:296:2: note: "sprintf" output between 10 and 27 bytes into
a destination of size 16
  sprintf(p->prefix_str, NIPQUAD_FMT "/%u", NIPQUAD(mr->min_addr.ip),
   33 - ffs(~(ip_min ^ ip_max)));
---

diff --git a/extensions/xt_DNETMAP.c b/extensions/xt_DNETMAP.c
index ec6177a..21bbab5 100644
--- a/extensions/xt_DNETMAP.c
+++ b/extensions/xt_DNETMAP.c
@@ -81,7 +81,7 @@ struct dnetmap_entry {
 
 struct dnetmap_prefix {
 	struct nf_nat_range prefix;
-	char prefix_str[16];
+	char prefix_str[20];
 #ifdef CONFIG_PROC_FS
 	char proc_str_data[20];
 	char proc_str_stat[25];