From 8b5fbeea993f63d15d88f58693eaf0bb207907ef Mon Sep 17 00:00:00 2001
From: Mike Frysinger <vapier@gentoo.org>
Date: Tue, 21 Oct 2014 08:34:08 -0400
Subject: [PATCH] sock: fix decoding of struct ifreq.ifr_name

The ifr name fields of the ifreq structure might not be NUL terminated.
If the user makes an ioctl call where they aren't, then strace ends up
reading random content from its own stack.  Limit the printf lengths.

* sock.c (sock_ioctl): Add explicit length limits to ifr_name printfs.
---
 sock.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/sock.c b/sock.c
index dca9bfd4..d04e8330 100644
--- a/sock.c
+++ b/sock.c
@@ -131,12 +131,14 @@ sock_ioctl(struct tcb *tcp, long code, long arg)
 			if (code == SIOCGIFNAME || code == SIOCSIFNAME)
 				tprintf(", {ifr_index=%d, ifr_name=???}", ifr.ifr_ifindex);
 			else
-				tprintf(", {ifr_name=\"%s\", ???}", ifr.ifr_name);
+				tprintf(", {ifr_name=\"%.*s\", ???}",
+					IFNAMSIZ, ifr.ifr_name);
 		} else if (code == SIOCGIFNAME || code == SIOCSIFNAME)
-			tprintf(", {ifr_index=%d, ifr_name=\"%s\"}",
-				ifr.ifr_ifindex, ifr.ifr_name);
+			tprintf(", {ifr_index=%d, ifr_name=\"%.*s\"}",
+				ifr.ifr_ifindex, IFNAMSIZ, ifr.ifr_name);
 		else {
-			tprintf(", {ifr_name=\"%s\", ", ifr.ifr_name);
+			tprintf(", {ifr_name=\"%.*s\", ",
+				IFNAMSIZ, ifr.ifr_name);
 			switch (code) {
 			case SIOCGIFINDEX:
 				tprintf("ifr_index=%d", ifr.ifr_ifindex);
@@ -237,8 +239,8 @@ sock_ioctl(struct tcb *tcp, long code, long arg)
 			for (i = 0; i < nifra; ++i ) {
 				if (i > 0)
 					tprints(", ");
-				tprintf("{\"%s\", {",
-					ifra[i].ifr_name);
+				tprintf("{\"%.*s\", {",
+					IFNAMSIZ, ifra[i].ifr_name);
 				if (verbose(tcp)) {
 					printxval(addrfams,
 						  ifra[i].ifr_addr.sa_family,
-- 
2.40.0