From 2a712269680a5016755193c010f0850441453b2d Mon Sep 17 00:00:00 2001 From: Pierre Pronchery Date: Tue, 24 Jul 2018 17:53:16 +0200 Subject: [PATCH] Let snprintf() use buffers completely --- client/config_init.c | 14 ++--- server/fw_util_firewalld.c | 110 ++++++++++++++++++------------------- server/fw_util_ipfw.c | 28 +++++----- server/fw_util_iptables.c | 110 ++++++++++++++++++------------------- server/fw_util_pf.c | 18 +++--- 5 files changed, 140 insertions(+), 140 deletions(-) diff --git a/client/config_init.c b/client/config_init.c index ff961f16..9b9793d0 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -1339,22 +1339,22 @@ add_single_var_to_rc(FILE* fhandle, short var_pos, fko_cli_options_t *options) proto_inttostr(options->spa_proto, val, sizeof(val)); break; case FWKNOP_CLI_ARG_SPA_SERVER_PORT : - snprintf(val, sizeof(val)-1, "%d", options->spa_dst_port); + snprintf(val, sizeof(val), "%d", options->spa_dst_port); break; case FWKNOP_CLI_ARG_SPA_SOURCE_PORT : - snprintf(val, sizeof(val)-1, "%d", options->spa_src_port); + snprintf(val, sizeof(val), "%d", options->spa_src_port); break; case FWKNOP_CLI_ARG_FW_TIMEOUT : - snprintf(val, sizeof(val)-1, "%d", options->fw_timeout); + snprintf(val, sizeof(val), "%d", options->fw_timeout); break; case FWKNOP_CLI_ARG_ALLOW_IP : strlcpy(val, options->allow_ip_str, sizeof(val)); break; case FWKNOP_CLI_ARG_TIME_OFFSET : if (options->time_offset_minus != 0) - snprintf(val, sizeof(val)-1, "-%d", options->time_offset_minus); + snprintf(val, sizeof(val), "-%d", options->time_offset_minus); else if (options->time_offset_plus != 0) - snprintf(val, sizeof(val)-1, "%d", options->time_offset_plus); + snprintf(val, sizeof(val), "%d", options->time_offset_plus); else; break; case FWKNOP_CLI_ARG_ENCRYPTION_MODE : @@ -1444,13 +1444,13 @@ add_single_var_to_rc(FILE* fhandle, short var_pos, fko_cli_options_t *options) bool_to_yesno(options->nat_rand_port, val, sizeof(val)); break; case FWKNOP_CLI_ARG_NAT_PORT : - snprintf(val, sizeof(val)-1, "%d", options->nat_port); + snprintf(val, sizeof(val), "%d", options->nat_port); break; case FWKNOP_CLI_ARG_VERBOSE: if((options->verbose == 0) || (options->verbose == 1)) bool_to_yesno(options->verbose, val, sizeof(val)); else - snprintf(val, sizeof(val)-1, "%d", options->verbose); + snprintf(val, sizeof(val), "%d", options->verbose); break; case FWKNOP_CLI_ARG_RESOLVE_IP_HTTPS: bool_to_yesno(options->resolve_ip_http_https, val, sizeof(val)); diff --git a/server/fw_util_firewalld.c b/server/fw_util_firewalld.c index 2b872853..f534cd6f 100644 --- a/server/fw_util_firewalld.c +++ b/server/fw_util_firewalld.c @@ -81,7 +81,7 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts, char exp_ts_search[CMD_BUFSIZE] = {0}; char *ndx = NULL; - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_LIST_RULES_ARGS, opts->fw_config->fw_command, fwc->table, fwc->to_chain @@ -98,28 +98,28 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts, #endif if(proto == IPPROTO_TCP) - snprintf(proto_search, CMD_BUFSIZE-1, " tcp "); + snprintf(proto_search, CMD_BUFSIZE, " tcp "); else if(proto == IPPROTO_UDP) - snprintf(proto_search, CMD_BUFSIZE-1, " udp "); + snprintf(proto_search, CMD_BUFSIZE, " udp "); else if(proto == IPPROTO_ICMP) - snprintf(proto_search, CMD_BUFSIZE-1, " icmp "); + snprintf(proto_search, CMD_BUFSIZE, " icmp "); else - snprintf(proto_search, CMD_BUFSIZE-1, " %u ", proto); + snprintf(proto_search, CMD_BUFSIZE, " %u ", proto); - snprintf(port_search, CMD_BUFSIZE-1, "dpt:%u ", port); - snprintf(nat_port_search, CMD_BUFSIZE-1, ":%u", nat_port); - snprintf(target_search, CMD_BUFSIZE-1, " %s ", fwc->target); + snprintf(port_search, CMD_BUFSIZE, "dpt:%u ", port); + snprintf(nat_port_search, CMD_BUFSIZE, ":%u", nat_port); + snprintf(target_search, CMD_BUFSIZE, " %s ", fwc->target); if (srcip != NULL) - snprintf(srcip_search, CMD_BUFSIZE-1, " %s ", srcip); + snprintf(srcip_search, CMD_BUFSIZE, " %s ", srcip); if (dstip != NULL) - snprintf(dstip_search, CMD_BUFSIZE-1, " %s ", dstip); + snprintf(dstip_search, CMD_BUFSIZE, " %s ", dstip); if (natip != NULL) - snprintf(natip_search, CMD_BUFSIZE-1, " to:%s", natip); + snprintf(natip_search, CMD_BUFSIZE, " to:%s", natip); - snprintf(exp_ts_search, CMD_BUFSIZE-1, "%u ", exp_ts); + snprintf(exp_ts_search, CMD_BUFSIZE, "%u ", exp_ts); /* search for each of the substrings - the rule expiration time is the * primary search method @@ -193,7 +193,7 @@ rule_exists_chk_support(const fko_srv_options_t * const opts, zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_CHK_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_CHK_RULE_ARGS, opts->fw_config->fw_command, chain, rule); res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, @@ -264,7 +264,7 @@ firewd_chk_support(const fko_srv_options_t * const opts) * supports '-C' to check for it. Set "have_firewd_chk_support" accordingly, * delete the rule, and return. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_TMP_CHK_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_TMP_CHK_RULE_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -283,7 +283,7 @@ firewd_chk_support(const fko_srv_options_t * const opts) /* Now see if '-C' works */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_TMP_VERIFY_CHK_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_TMP_VERIFY_CHK_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -312,7 +312,7 @@ firewd_chk_support(const fko_srv_options_t * const opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_RULE_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -337,7 +337,7 @@ comment_match_exists(const fko_srv_options_t * const opts) * match and make sure it exists. If not, return zero. Otherwise, delete * the rule and return true. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_TMP_COMMENT_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_TMP_COMMENT_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -359,7 +359,7 @@ comment_match_exists(const fko_srv_options_t * const opts) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_LIST_RULES_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain @@ -385,7 +385,7 @@ comment_match_exists(const fko_srv_options_t * const opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_RULE_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -405,7 +405,7 @@ add_jump_rule(const fko_srv_options_t * const opts, const int chain_num) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_ADD_JUMP_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_ADD_JUMP_RULE_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].from_chain, @@ -440,7 +440,7 @@ chain_exists(const fko_srv_options_t * const opts, const int chain_num) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_CHAIN_EXISTS_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_CHAIN_EXISTS_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain @@ -474,7 +474,7 @@ jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int cha int exists = 0; char rule_buf[CMD_BUFSIZE] = {0}; - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_CHK_JUMP_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_CHK_JUMP_RULE_ARGS, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain ); @@ -497,7 +497,7 @@ jump_rule_exists_no_chk_support(const fko_srv_options_t * const opts, int exists = 0; char chain_search[CMD_BUFSIZE] = {0}; - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_LIST_RULES_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].from_chain @@ -505,7 +505,7 @@ jump_rule_exists_no_chk_support(const fko_srv_options_t * const opts, /* include spaces on either side as produced by 'firewalld -L' output */ - snprintf(chain_search, CMD_BUFSIZE-1, " %s ", + snprintf(chain_search, CMD_BUFSIZE, " %s ", fwc.chain[chain_num].to_chain); if(search_extcmd(cmd_buf, WANT_STDERR, @@ -560,7 +560,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_LIST_ALL_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_LIST_ALL_RULES_ARGS, opts->fw_config->fw_command, ch[i].table ); @@ -594,7 +594,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_LIST_RULES_ARGS, opts->fw_config->fw_command, ch[i].table, ch[i].to_chain @@ -642,7 +642,7 @@ delete_all_chains(const fko_srv_options_t * const opts) { zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_JUMP_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_JUMP_RULE_ARGS, fwc.fw_command, fwc.chain[i].table, fwc.chain[i].from_chain, @@ -668,7 +668,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Now flush and remove the chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_FLUSH_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_FLUSH_CHAIN_ARGS, fwc.fw_command, fwc.chain[i].table, fwc.chain[i].to_chain @@ -688,7 +688,7 @@ delete_all_chains(const fko_srv_options_t * const opts) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_CHAIN_ARGS, fwc.fw_command, fwc.chain[i].table, fwc.chain[i].to_chain @@ -713,7 +713,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Delete the rule to direct traffic to the NFQ chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_RULE_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], "INPUT", @@ -734,7 +734,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Flush the NFQ chain */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_FLUSH_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_FLUSH_CHAIN_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] @@ -754,7 +754,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Delete the NF_QUEUE chains and rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_CHAIN_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] @@ -784,7 +784,7 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num) /* Create the custom chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_NEW_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_NEW_CHAIN_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain @@ -849,7 +849,7 @@ create_fw_chains(const fko_srv_options_t * const opts) /* Create the NF_QUEUE chains and rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_NEW_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_NEW_CHAIN_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] @@ -872,7 +872,7 @@ create_fw_chains(const fko_srv_options_t * const opts) /* Create the rule to direct traffic to the NFQ chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_ADD_JUMP_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_ADD_JUMP_RULE_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], "INPUT", @@ -901,7 +901,7 @@ create_fw_chains(const fko_srv_options_t * const opts) */ if(strlen(opts->config[CONF_NFQ_INTERFACE]) > 0) { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_NFQ_ADD_ARGS_WITH_IF, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_NFQ_ADD_ARGS_WITH_IF, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN], @@ -912,7 +912,7 @@ create_fw_chains(const fko_srv_options_t * const opts) } else { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_NFQ_ADD_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_NFQ_ADD_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN], @@ -1172,10 +1172,10 @@ create_rule(const fko_srv_options_t * const opts, zero_cmd_buffers(); if (strncasecmp(opts->config[CONF_ENABLE_RULE_PREPEND], "Y", 1) == 0) { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -I %s %s", + snprintf(cmd_buf, CMD_BUFSIZE, "%s -I %s %s", opts->fw_config->fw_command, fw_chain, fw_rule); } else { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -A %s %s", + snprintf(cmd_buf, CMD_BUFSIZE, "%s -A %s %s", opts->fw_config->fw_command, fw_chain, fw_rule); } @@ -1224,7 +1224,7 @@ firewd_rule(const fko_srv_options_t * const opts, { memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, fw_rule_macro, + snprintf(rule_buf, CMD_BUFSIZE, fw_rule_macro, chain->table, proto, srcip, @@ -1283,7 +1283,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts, if(acc->forward_all) { - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_ALL_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_FWD_ALL_RULE_ARGS, fwd_chain->table, spadat->use_src_ip, exp_ts, @@ -1300,7 +1300,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts, { /* Make the FORWARD access rule */ - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_FWD_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_FWD_RULE_ARGS, fwd_chain->table, fst_proto, spadat->use_src_ip, @@ -1335,7 +1335,7 @@ static void dnat_rule(const fko_srv_options_t * const opts, { memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_DNAT_ALL_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_DNAT_ALL_RULE_ARGS, dnat_chain->table, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : FIREWD_ANY_IP), @@ -1354,7 +1354,7 @@ static void dnat_rule(const fko_srv_options_t * const opts, { memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_DNAT_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_DNAT_RULE_ARGS, dnat_chain->table, fst_proto, spadat->use_src_ip, @@ -1398,7 +1398,7 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Default to MASQUERADE */ snat_chain = &(opts->fw_config->chain[FIREWD_MASQUERADE_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " "); + snprintf(snat_target, SNAT_TARGET_BUFSIZE, " "); /* Add SNAT or MASQUERADE rules. */ @@ -1406,7 +1406,7 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", acc->force_snat_ip); } else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL) @@ -1414,13 +1414,13 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]); } memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_SNAT_ALL_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_SNAT_ALL_RULE_ARGS, snat_chain->table, spadat->use_src_ip, exp_ts, @@ -1440,14 +1440,14 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", acc->force_snat_ip); } else if(acc->force_snat && acc->force_masquerade) { /* Using MASQUERADE */ snat_chain = &(opts->fw_config->chain[FIREWD_MASQUERADE_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-ports %i", fst_port); } else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL) @@ -1455,20 +1455,20 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]); } else { /* Using MASQUERADE */ snat_chain = &(opts->fw_config->chain[FIREWD_MASQUERADE_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-ports %i", fst_port); } memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, FIREWD_SNAT_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, FIREWD_SNAT_RULE_ARGS, snat_chain->table, fst_proto, nat_ip, @@ -1773,7 +1773,7 @@ rm_expired_rules(const fko_srv_options_t * const opts, zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_DEL_RULE_ARGS, opts->fw_config->fw_command, ch[cpos].table, ch[cpos].to_chain, @@ -1868,7 +1868,7 @@ check_firewall_rules(const fko_srv_options_t * const opts, * from fwknopd) to take advantage of fwknopd's timeout * mechanism. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " FIREWD_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " FIREWD_LIST_RULES_ARGS, opts->fw_config->fw_command, ch[i].table, ch[i].to_chain diff --git a/server/fw_util_ipfw.c b/server/fw_util_ipfw.c index e065383b..d921e95f 100644 --- a/server/fw_util_ipfw.c +++ b/server/fw_util_ipfw.c @@ -74,7 +74,7 @@ ipfw_set_exists(const fko_srv_options_t *opts, zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_SET_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_SET_RULES_ARGS, fw_command, set_num ); @@ -111,7 +111,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command for all rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_ALL_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_ALL_RULES_ARGS, opts->fw_config->fw_command ); @@ -137,7 +137,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command for active rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->active_set_num ); @@ -158,7 +158,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command for expired rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->expire_set_num ); @@ -284,7 +284,7 @@ fw_initialize(const fko_srv_options_t * const opts) { zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_ADD_CHECK_STATE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_ADD_CHECK_STATE_ARGS, fwc.fw_command, fwc.start_rule_num, fwc.active_set_num @@ -316,7 +316,7 @@ fw_initialize(const fko_srv_options_t * const opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_DISABLE_SET_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_DISABLE_SET_ARGS, fwc.fw_command, fwc.expire_set_num ); @@ -339,7 +339,7 @@ fw_initialize(const fko_srv_options_t * const opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_EXP_SET_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_EXP_SET_RULES_ARGS, opts->fw_config->fw_command, fwc.expire_set_num ); @@ -421,7 +421,7 @@ fw_cleanup(const fko_srv_options_t * const opts) { /* Create the set delete command for active rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_DEL_RULE_SET_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_DEL_RULE_SET_ARGS, fwc.fw_command, fwc.active_set_num ); @@ -448,7 +448,7 @@ fw_cleanup(const fko_srv_options_t * const opts) { /* Create the set delete command for expired rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_DEL_RULE_SET_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_DEL_RULE_SET_ARGS, fwc.fw_command, fwc.expire_set_num ); @@ -530,7 +530,7 @@ process_spa_request(const fko_srv_options_t * const opts, { zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_ADD_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_ADD_RULE_ARGS, fwc.fw_command, rule_num, fwc.active_set_num, @@ -632,7 +632,7 @@ check_firewall_rules(const fko_srv_options_t * const opts, /* There should be a rule to delete. Get the current list of * rules for this chain and delete the ones that are expired. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_SET_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_SET_RULES_ARGS, opts->fw_config->fw_command, fwc.active_set_num ); @@ -748,7 +748,7 @@ check_firewall_rules(const fko_srv_options_t * const opts, /* Move the rule to the expired rules set. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_MOVE_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_MOVE_RULE_ARGS, opts->fw_config->fw_command, curr_rule, fwc.expire_set_num @@ -818,7 +818,7 @@ ipfw_purge_expired_rules(const fko_srv_options_t *opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_LIST_SET_DYN_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_LIST_SET_DYN_RULES_ARGS, opts->fw_config->fw_command, fwc.expire_set_num ); @@ -923,7 +923,7 @@ ipfw_purge_expired_rules(const fko_srv_options_t *opts) curr_rule = fwc.start_rule_num + i; - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPFW_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPFW_DEL_RULE_ARGS, opts->fw_config->fw_command, #ifndef __APPLE__ fwc.expire_set_num, diff --git a/server/fw_util_iptables.c b/server/fw_util_iptables.c index 8d0c1848..37b49828 100644 --- a/server/fw_util_iptables.c +++ b/server/fw_util_iptables.c @@ -91,35 +91,35 @@ rule_exists_no_chk_support(const fko_srv_options_t * const opts, log_msg(LOG_WARNING, "[ignore] Code coverage: Executed command"); #endif - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_LIST_RULES_ARGS, opts->fw_config->fw_command, fwc->table, fwc->to_chain ); if(proto == IPPROTO_TCP) - snprintf(proto_search, CMD_BUFSIZE-1, " tcp "); + snprintf(proto_search, CMD_BUFSIZE, " tcp "); else if(proto == IPPROTO_UDP) - snprintf(proto_search, CMD_BUFSIZE-1, " udp "); + snprintf(proto_search, CMD_BUFSIZE, " udp "); else if(proto == IPPROTO_ICMP) - snprintf(proto_search, CMD_BUFSIZE-1, " icmp "); + snprintf(proto_search, CMD_BUFSIZE, " icmp "); else - snprintf(proto_search, CMD_BUFSIZE-1, " %u ", proto); + snprintf(proto_search, CMD_BUFSIZE, " %u ", proto); - snprintf(port_search, CMD_BUFSIZE-1, "dpt:%u ", port); - snprintf(nat_port_search, CMD_BUFSIZE-1, ":%u", nat_port); - snprintf(target_search, CMD_BUFSIZE-1, " %s ", fwc->target); + snprintf(port_search, CMD_BUFSIZE, "dpt:%u ", port); + snprintf(nat_port_search, CMD_BUFSIZE, ":%u", nat_port); + snprintf(target_search, CMD_BUFSIZE, " %s ", fwc->target); if (srcip != NULL) - snprintf(srcip_search, CMD_BUFSIZE-1, " %s ", srcip); + snprintf(srcip_search, CMD_BUFSIZE, " %s ", srcip); if (dstip != NULL) - snprintf(dstip_search, CMD_BUFSIZE-1, " %s ", dstip); + snprintf(dstip_search, CMD_BUFSIZE, " %s ", dstip); if (natip != NULL) - snprintf(dstip_search, CMD_BUFSIZE-1, " to:%s", natip); + snprintf(dstip_search, CMD_BUFSIZE, " to:%s", natip); - snprintf(exp_ts_search, CMD_BUFSIZE-1, "%u ", exp_ts); + snprintf(exp_ts_search, CMD_BUFSIZE, "%u ", exp_ts); /* search for each of the substrings - the rule expiration time is the * primary search method @@ -193,7 +193,7 @@ rule_exists_chk_support(const fko_srv_options_t * const opts, zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_CHK_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_CHK_RULE_ARGS, opts->fw_config->fw_command, chain, rule); res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, @@ -264,7 +264,7 @@ ipt_chk_support(const fko_srv_options_t * const opts) * supports '-C' to check for it. Set "have_ipt_chk_support" accordingly, * delete the rule, and return. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_CHK_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_TMP_CHK_RULE_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -283,7 +283,7 @@ ipt_chk_support(const fko_srv_options_t * const opts) /* Now see if '-C' works - any output indicates failure */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_VERIFY_CHK_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_TMP_VERIFY_CHK_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -312,7 +312,7 @@ ipt_chk_support(const fko_srv_options_t * const opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_RULE_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -337,7 +337,7 @@ comment_match_exists(const fko_srv_options_t * const opts) * match and make sure it exists. If not, return zero. Otherwise, delete * the rule and return true. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_TMP_COMMENT_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_TMP_COMMENT_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -354,7 +354,7 @@ comment_match_exists(const fko_srv_options_t * const opts) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_LIST_RULES_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain @@ -380,7 +380,7 @@ comment_match_exists(const fko_srv_options_t * const opts) */ zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_RULE_ARGS, opts->fw_config->fw_command, in_chain->table, in_chain->from_chain, @@ -400,7 +400,7 @@ add_jump_rule(const fko_srv_options_t * const opts, const int chain_num) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_JUMP_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_ADD_JUMP_RULE_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].from_chain, @@ -435,7 +435,7 @@ chain_exists(const fko_srv_options_t * const opts, const int chain_num) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_CHAIN_EXISTS_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_CHAIN_EXISTS_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain @@ -465,7 +465,7 @@ jump_rule_exists_chk_support(const fko_srv_options_t * const opts, const int cha int exists = 0; char rule_buf[CMD_BUFSIZE] = {0}; - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_CHK_JUMP_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_CHK_JUMP_RULE_ARGS, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain ); @@ -488,7 +488,7 @@ jump_rule_exists_no_chk_support(const fko_srv_options_t * const opts, int exists = 0; char chain_search[CMD_BUFSIZE] = {0}; - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_LIST_RULES_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].from_chain @@ -496,7 +496,7 @@ jump_rule_exists_no_chk_support(const fko_srv_options_t * const opts, /* include spaces on either side as produced by 'iptables -L' output */ - snprintf(chain_search, CMD_BUFSIZE-1, " %s ", + snprintf(chain_search, CMD_BUFSIZE, " %s ", fwc.chain[chain_num].to_chain); if(search_extcmd(cmd_buf, WANT_STDERR, @@ -548,7 +548,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_ALL_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_LIST_ALL_RULES_ARGS, opts->fw_config->fw_command, ch[i].table ); @@ -582,7 +582,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_LIST_RULES_ARGS, opts->fw_config->fw_command, ch[i].table, ch[i].to_chain @@ -630,7 +630,7 @@ delete_all_chains(const fko_srv_options_t * const opts) { zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_JUMP_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_JUMP_RULE_ARGS, fwc.fw_command, fwc.chain[i].table, fwc.chain[i].from_chain, @@ -656,7 +656,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Now flush and remove the chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_FLUSH_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_FLUSH_CHAIN_ARGS, fwc.fw_command, fwc.chain[i].table, fwc.chain[i].to_chain @@ -676,7 +676,7 @@ delete_all_chains(const fko_srv_options_t * const opts) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_CHAIN_ARGS, fwc.fw_command, fwc.chain[i].table, fwc.chain[i].to_chain @@ -702,7 +702,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Delete the rule to direct traffic to the NFQ chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_RULE_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], "INPUT", @@ -723,7 +723,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Flush the NFQ chain */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_FLUSH_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_FLUSH_CHAIN_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] @@ -743,7 +743,7 @@ delete_all_chains(const fko_srv_options_t * const opts) /* Delete the NF_QUEUE chains and rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_CHAIN_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] @@ -772,7 +772,7 @@ create_chain(const fko_srv_options_t * const opts, const int chain_num) /* Create the custom chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_NEW_CHAIN_ARGS, fwc.fw_command, fwc.chain[chain_num].table, fwc.chain[chain_num].to_chain @@ -838,7 +838,7 @@ create_fw_chains(const fko_srv_options_t * const opts) /* Create the NF_QUEUE chains and rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NEW_CHAIN_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_NEW_CHAIN_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN] @@ -861,7 +861,7 @@ create_fw_chains(const fko_srv_options_t * const opts) /* Create the rule to direct traffic to the NFQ chain. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_ADD_JUMP_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_ADD_JUMP_RULE_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], "INPUT", @@ -890,7 +890,7 @@ create_fw_chains(const fko_srv_options_t * const opts) */ if(strlen(opts->config[CONF_NFQ_INTERFACE]) > 0) { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NFQ_ADD_ARGS_WITH_IF, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_NFQ_ADD_ARGS_WITH_IF, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN], @@ -901,7 +901,7 @@ create_fw_chains(const fko_srv_options_t * const opts) } else { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_NFQ_ADD_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_NFQ_ADD_ARGS, fwc.fw_command, opts->config[CONF_NFQ_TABLE], opts->config[CONF_NFQ_CHAIN], @@ -1155,10 +1155,10 @@ create_rule(const fko_srv_options_t * const opts, zero_cmd_buffers(); if (strncasecmp(opts->config[CONF_ENABLE_RULE_PREPEND], "Y", 1) == 0) { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -I %s %s", + snprintf(cmd_buf, CMD_BUFSIZE, "%s -I %s %s", opts->fw_config->fw_command, fw_chain, fw_rule); } else { - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s -A %s %s", + snprintf(cmd_buf, CMD_BUFSIZE, "%s -A %s %s", opts->fw_config->fw_command, fw_chain, fw_rule); } res = run_extcmd(cmd_buf, err_buf, CMD_BUFSIZE, WANT_STDERR, @@ -1207,7 +1207,7 @@ ipt_rule(const fko_srv_options_t * const opts, { memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, fw_rule_macro, + snprintf(rule_buf, CMD_BUFSIZE, fw_rule_macro, chain->table, proto, srcip, @@ -1266,7 +1266,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts, if(acc->forward_all) { - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_ALL_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_FWD_ALL_RULE_ARGS, fwd_chain->table, spadat->use_src_ip, exp_ts, @@ -1281,7 +1281,7 @@ static void forward_access_rule(const fko_srv_options_t * const opts, } else { - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_FWD_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_FWD_RULE_ARGS, fwd_chain->table, fst_proto, spadat->use_src_ip, @@ -1318,7 +1318,7 @@ static void dnat_rule(const fko_srv_options_t * const opts, { memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_DNAT_ALL_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_DNAT_ALL_RULE_ARGS, dnat_chain->table, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : IPT_ANY_IP), @@ -1337,7 +1337,7 @@ static void dnat_rule(const fko_srv_options_t * const opts, { memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_DNAT_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_DNAT_RULE_ARGS, dnat_chain->table, fst_proto, spadat->use_src_ip, @@ -1381,7 +1381,7 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Default to MASQUERADE */ snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, " "); + snprintf(snat_target, SNAT_TARGET_BUFSIZE, " "); /* Add SNAT or MASQUERADE rules. */ @@ -1389,7 +1389,7 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", acc->force_snat_ip); } else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL) @@ -1397,13 +1397,13 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]); } memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_SNAT_ALL_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_SNAT_ALL_RULE_ARGS, snat_chain->table, spadat->use_src_ip, exp_ts, @@ -1423,14 +1423,14 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", acc->force_snat_ip); } else if(acc->force_snat && acc->force_masquerade) { /* Using MASQUERADE */ snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-ports %i", fst_port); } else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL) @@ -1438,20 +1438,20 @@ static void snat_rule(const fko_srv_options_t * const opts, { /* Using static SNAT */ snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-source %s", opts->config[CONF_SNAT_TRANSLATE_IP]); } else { /* Using MASQUERADE */ snat_chain = &(opts->fw_config->chain[IPT_MASQUERADE_ACCESS]); - snprintf(snat_target, SNAT_TARGET_BUFSIZE-1, + snprintf(snat_target, SNAT_TARGET_BUFSIZE, "--to-ports %i", fst_port); } memset(rule_buf, 0, CMD_BUFSIZE); - snprintf(rule_buf, CMD_BUFSIZE-1, IPT_SNAT_RULE_ARGS, + snprintf(rule_buf, CMD_BUFSIZE, IPT_SNAT_RULE_ARGS, snat_chain->table, fst_proto, nat_ip, @@ -1757,7 +1757,7 @@ rm_expired_rules(const fko_srv_options_t * const opts, zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_DEL_RULE_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_DEL_RULE_ARGS, opts->fw_config->fw_command, ch[cpos].table, ch[cpos].to_chain, @@ -1852,7 +1852,7 @@ check_firewall_rules(const fko_srv_options_t * const opts, * from fwknopd) to take advantage of fwknopd's timeout * mechanism. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " IPT_LIST_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " IPT_LIST_RULES_ARGS, opts->fw_config->fw_command, ch[i].table, ch[i].to_chain diff --git a/server/fw_util_pf.c b/server/fw_util_pf.c index 038e187a..747fd328 100644 --- a/server/fw_util_pf.c +++ b/server/fw_util_pf.c @@ -65,7 +65,7 @@ fw_dump_rules(const fko_srv_options_t * const opts) /* Create the list command for active rules */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_LIST_ANCHOR_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " PF_LIST_ANCHOR_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->anchor ); @@ -98,12 +98,12 @@ anchor_active(const fko_srv_options_t *opts) /* Build our anchor search string */ - snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN-1, "%s\n", + snprintf(anchor_search_str, MAX_PF_ANCHOR_SEARCH_LEN, "%s\n", opts->fw_config->anchor); zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_ANCHOR_CHECK_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " PF_ANCHOR_CHECK_ARGS, opts->fw_config->fw_command ); @@ -123,7 +123,7 @@ delete_all_anchor_rules(const fko_srv_options_t *opts) zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_DEL_ALL_ANCHOR_RULES, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " PF_DEL_ALL_ANCHOR_RULES, fwc.fw_command, fwc.anchor ); @@ -231,7 +231,7 @@ process_spa_request(const fko_srv_options_t * const opts, { zero_cmd_buffers(); - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_LIST_ANCHOR_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " PF_LIST_ANCHOR_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->anchor ); @@ -244,7 +244,7 @@ process_spa_request(const fko_srv_options_t * const opts, /* Build the new rule string */ memset(new_rule, 0x0, MAX_PF_NEW_RULE_LEN); - snprintf(new_rule, MAX_PF_NEW_RULE_LEN-1, PF_ADD_RULE_ARGS "\n", + snprintf(new_rule, MAX_PF_NEW_RULE_LEN, PF_ADD_RULE_ARGS "\n", ple->proto, spadat->use_src_ip, (fwc.use_destination ? spadat->pkt_destination_ip : PF_ANY_IP), @@ -260,7 +260,7 @@ process_spa_request(const fko_srv_options_t * const opts, memset(write_cmd, 0x0, CMD_BUFSIZE); - snprintf(write_cmd, CMD_BUFSIZE-1, "%s " PF_WRITE_ANCHOR_RULES_ARGS, + snprintf(write_cmd, CMD_BUFSIZE, "%s " PF_WRITE_ANCHOR_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->anchor ); @@ -362,7 +362,7 @@ check_firewall_rules(const fko_srv_options_t * const opts, /* There should be a rule to delete. Get the current list of * rules and delete the ones that are expired. */ - snprintf(cmd_buf, CMD_BUFSIZE-1, "%s " PF_LIST_ANCHOR_RULES_ARGS, + snprintf(cmd_buf, CMD_BUFSIZE, "%s " PF_LIST_ANCHOR_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->anchor ); @@ -503,7 +503,7 @@ check_firewall_rules(const fko_srv_options_t * const opts, { memset(write_cmd, 0x0, CMD_BUFSIZE); - snprintf(write_cmd, CMD_BUFSIZE-1, "%s " PF_WRITE_ANCHOR_RULES_ARGS, + snprintf(write_cmd, CMD_BUFSIZE, "%s " PF_WRITE_ANCHOR_RULES_ARGS, opts->fw_config->fw_command, opts->fw_config->anchor );