Don't assume s->ifname is NUL terminated and printable.

As in pfsync_print_clr() use vis(3) in print_state().  This was also
found with afl though with a different input.

1 files changed, 9 insertions, 3 deletions

diff --git a/usr.sbin/tcpdump/pf_print_state.c b/usr.sbin/tcpdump/pf_print_state.c
index fb1e97873c4..9c1097fb0a8 100644
--- a/usr.sbin/tcpdump/pf_print_state.c
+++ b/usr.sbin/tcpdump/pf_print_state.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_print_state.c,v 1.12 2015/01/20 18:26:58 deraadt Exp $	*/
+/*	$OpenBSD: pf_print_state.c,v 1.13 2016/10/28 12:42:39 jsg Exp $	*/
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -42,6 +42,7 @@
 
 #include <stdio.h>
 #include <string.h>
+#include <vis.h>
 
 #include "pfctl_parser.h"
 #include "pfctl.h"
@@ -182,7 +183,9 @@ print_state(struct pfsync_state *s, int opts)
 {
 	struct pfsync_state_peer *src, *dst;
 	struct pfsync_state_key *sk, *nk;
-	int min, sec, sidx, didx;
+	char ifname[IFNAMSIZ * 4 + 1];
+	int min, sec, sidx, didx, i;
+	char *cp = ifname;
 
 	if (s->direction == PF_OUT) {
 		src = &s->src;
@@ -199,7 +202,10 @@ print_state(struct pfsync_state *s, int opts)
 		if (s->proto == IPPROTO_ICMP || s->proto == IPPROTO_ICMPV6) 
 			sk->port[1] = nk->port[1];
 	}
-	printf("%s ", s->ifname);
+	/* Treat s->ifname as untrusted input. */
+	for (i = 0; i < IFNAMSIZ && s->ifname[i] != '\0'; i++)
+		cp = vis(cp, s->ifname[i], VIS_WHITE, 0);
+	printf("%s ", ifname);
 	printf("%s ", ipproto_string(s->proto));
 
 	if (nk->af != sk->af)