1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
|
https://bugs.gentoo.org/546928
From 46679bbbe89699016d31486de7599590d02a5054 Mon Sep 17 00:00:00 2001
From: Vadim Kochan <vadim4j@gmail.com>
Date: Mon, 20 Apr 2015 08:33:32 +0300
Subject: [PATCH] tc util: Fix possible buffer overflow when print class id
Use correct handle buffer length.
Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
---
tc/tc_util.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/tc/tc_util.c b/tc/tc_util.c
index 1d3153d..dc2b70f 100644
--- a/tc/tc_util.c
+++ b/tc/tc_util.c
@@ -128,30 +128,31 @@ ok:
return 0;
}
-int print_tc_classid(char *buf, int len, __u32 h)
+int print_tc_classid(char *buf, int blen, __u32 h)
{
- char handle[40] = {};
+ SPRINT_BUF(handle) = {};
+ int hlen = SPRINT_BSIZE - 1;
if (h == TC_H_ROOT)
sprintf(handle, "root");
else if (h == TC_H_UNSPEC)
- snprintf(handle, len, "none");
+ snprintf(handle, hlen, "none");
else if (TC_H_MAJ(h) == 0)
- snprintf(handle, len, ":%x", TC_H_MIN(h));
+ snprintf(handle, hlen, ":%x", TC_H_MIN(h));
else if (TC_H_MIN(h) == 0)
- snprintf(handle, len, "%x:", TC_H_MAJ(h) >> 16);
+ snprintf(handle, hlen, "%x:", TC_H_MAJ(h) >> 16);
else
- snprintf(handle, len, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h));
+ snprintf(handle, hlen, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h));
if (use_names) {
char clname[IDNAME_MAX] = {};
if (id_to_name(cls_names, h, clname))
- snprintf(buf, len, "%s#%s", clname, handle);
+ snprintf(buf, blen, "%s#%s", clname, handle);
else
- snprintf(buf, len, "%s", handle);
+ snprintf(buf, blen, "%s", handle);
} else {
- snprintf(buf, len, "%s", handle);
+ snprintf(buf, blen, "%s", handle);
}
return 0;
--
2.3.5
|