From dceaa0894bd73c19d0d7130f571ac869b52f339d Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Wed, 25 Jul 2007 14:38:45 +0200 Subject: [PATCH] [MEDIUM] ensure we never overflow in chunk_printf() The result of the vsnprintf() called in chunk_printf() must be checked, and should be added only if lower than the requested size. We simply return zero if we cannot write the chunk. --- src/buffers.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/buffers.c b/src/buffers.c index 658539c3a..8b2c4d33e 100644 --- a/src/buffers.c +++ b/src/buffers.c @@ -193,9 +193,15 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len) int chunk_printf(struct chunk *chk, int size, const char *fmt, ...) { va_list argp; + int ret; va_start(argp, fmt); - chk->len += vsnprintf(chk->str + chk->len, size - chk->len, fmt, argp); + ret = vsnprintf(chk->str + chk->len, size - chk->len, fmt, argp); + if (ret >= size - chk->len) + /* do not copy anything in case of truncation */ + chk->str[chk->len] = 0; + else + chk->len += ret; va_end(argp); return chk->len; }