From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 24 Nov 2013 18:49:15 +0000 (+0100)
Subject: datatype: fix missing nul-terminated string in string_type_print
X-Git-Tag: v0.099~48
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=99af859adcf8b8d44ac8a2202467f4b7b4987e3f;p=thirdparty%2Fnftables.git

datatype: fix missing nul-terminated string in string_type_print

Thomas Berger reported that he is seeing garbage after valid string
values, eg.

fwtest01 ~ # nft -i
nft> table filter
nft> add chain filter input
nft> add rule filter input meta iifname "lo" accept
nft> list table filter
table ip filter {
        chain input {
                 meta iifname "lo�.�" accept
        }
...

The buffer that is allocated in the stack does not include room to
nul-terminate the string accordingly. This patch fixes bugzilla
report #872:

https://bugzilla.netfilter.org/show_bug.cgi?id=872

Reported-by: Thomas Berger <loki@lokis-chaos.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/datatype.c b/src/datatype.c
index 4c5a70f2e..2e5788dc8 100644
--- a/src/datatype.c
+++ b/src/datatype.c
@@ -256,9 +256,10 @@ const struct datatype integer_type = {
 static void string_type_print(const struct expr *expr)
 {
 	unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
-	char data[len];
+	char data[len+1];
 
 	mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
+	data[len] = '\0';
 	printf("\"%s\"", data);
 }