From: Erik Skultety <eskultet@redhat.com>
Date: Tue, 2 Jun 2015 07:25:04 +0000 (+0200)
Subject: nwfilter: Fix sscanf off-by-one error in virNWFilterSnoopLeaseFileLoad
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=152e315433f2ff69a5e91a2269812918da2ce091;p=libvirt.git

nwfilter: Fix sscanf off-by-one error in virNWFilterSnoopLeaseFileLoad

We allocate 16 bytes for IPv4 address and 55 bytes for interface
key, therefore we should read up to 15/54 bytes and let the last byte
reserved for terminating null byte in sscanf.

https://bugzilla.redhat.com/show_bug.cgi?id=1226400
---

diff --git a/src/nwfilter/nwfilter_dhcpsnoop.c b/src/nwfilter/nwfilter_dhcpsnoop.c
index 6da8983d51..f331e22e9e 100644
--- a/src/nwfilter/nwfilter_dhcpsnoop.c
+++ b/src/nwfilter/nwfilter_dhcpsnoop.c
@@ -1958,8 +1958,8 @@ virNWFilterSnoopLeaseFileLoad(void)
             break;
         }
         ln++;
-        /* key len 55 = "VMUUID"+'-'+"MAC" */
-        if (sscanf(line, "%u %55s %16s %16s", &ipl.timeout,
+        /* key len 54 = "VMUUID"+'-'+"MAC" */
+        if (sscanf(line, "%u %54s %15s %15s", &ipl.timeout,
                    ifkey, ipstr, srvstr) < 4) {
             virReportError(VIR_ERR_INTERNAL_ERROR,
                            _("virNWFilterSnoopLeaseFileLoad lease file "