Use secure string copy to avoid overflow

Error: STRING_OVERFLOW (CWE-120): [#def2]
libslirp-4.3.0/src/ip_icmp.c:277: fixed_size_dest: You might overrun the 20-character fixed-size string "bufa" by copying the return value of "inet_ntoa" without checking the length.
  275|       if (slirp_debug & DBG_MISC) {
  276|           char bufa[20], bufb[20];
  277|->         strcpy(bufa, inet_ntoa(ip->ip_src));
  278|           strcpy(bufb, inet_ntoa(ip->ip_dst));
  279|           DEBUG_MISC(" %.16s to %.16s", bufa, bufb);

Error: STRING_OVERFLOW (CWE-120): [#def3]
libslirp-4.3.0/src/ip_icmp.c:278: fixed_size_dest: You might overrun the 20-character fixed-size string "bufb" by copying the return value of "inet_ntoa" without checking the length.
  276|           char bufa[20], bufb[20];
  277|           strcpy(bufa, inet_ntoa(ip->ip_src));
  278|->         strcpy(bufb, inet_ntoa(ip->ip_dst));
  279|           DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
  280|       }

Signed-off-by: Jindrich Novy <jnovy@redhat.com>
Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/ip_icmp.c b/src/ip_icmp.c
index 7533595..13a0e55 100644
--- a/src/ip_icmp.c
+++ b/src/ip_icmp.c
@@ -277,8 +277,8 @@ void icmp_send_error(struct mbuf *msrc, uint8_t type, uint8_t code, int minsize,
     ip = mtod(msrc, struct ip *);
     if (slirp_debug & DBG_MISC) {
         char bufa[20], bufb[20];
-        strcpy(bufa, inet_ntoa(ip->ip_src));
-        strcpy(bufb, inet_ntoa(ip->ip_dst));
+        slirp_pstrcpy(bufa, sizeof(bufa), inet_ntoa(ip->ip_src));
+        slirp_pstrcpy(bufb, sizeof(bufb), inet_ntoa(ip->ip_dst));
         DEBUG_MISC(" %.16s to %.16s", bufa, bufb);
     }
     if (ip->ip_off & IP_OFFMASK)