On Tue, 27 Apr 2021 15:13:10 GMT, Greg Rubin
<github.com+829871+salusasecon...@openjdk.org> wrote:
>> src/jdk.crypto.cryptoki/share/native/libj2pkcs11/p11_objmgmt.c line 262:
>>
>>> 260: temp1 = msg;
>>> 261: temp2 = msg + 80;
>>> 262: for (i = 0; i < ckAttributesLength && temp1 < temp2; i++) {
>>
>> I think that this loop will append at most 11 bytes to the string each time
>> (is this correct?), if so, we can make the check `temp1 < temp2 - 12` to
>> count the final null and avoid running off the end with a buffer overflow.
>
> I apologize. This counting code is correct and doesn't have any of the issues
> I claimed. `snprintf` takes care of everything and I just missed it last
> night.
It's alright, thanks for checking and review.
-------------
PR: https://git.openjdk.java.net/jdk/pull/3709
