On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <[email protected]> wrote:
> From: Steven Rostedt (VMware) <[email protected]> > > While reviewing some patches for bootconfig, I noticed the following > code in xbc_node_compose_key_after(): > > ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node), > depth ? "." : ""); > if (ret < 0) > return ret; > if (ret > size) { > size = 0; > } else { > size -= ret; > buf += ret; > } > > But snprintf() returns the number of bytes that would be written, not > the number of bytes that are written (ignoring the nul terminator). > This means that if the number of non null bytes written were to equal > size, then the nul byte, which snprintf() always adds, will overwrite > that last byte. > > ret = snprintf(buf, 5, "hello"); > printf("buf = '%s'\n", buf); > printf("ret = %d\n", ret); > > produces: > > buf = 'hell' > ret = 5 > > The string was truncated without ret being greater than 5. > Test (ret >= size) for overwrite. What are the end-user visible effects of the bug? IOW, why cc:stable?
