leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix vsnprintf off-by-one bug

Browse Source 
The recent vsnprintf() fix introduced an off-by-one, and it's now
possible to overrun the target buffer by one byte.

The "end" pointer points to past the end of the buffer, so if we
have to truncate the result, it needs to be done though "end[-1]".

[ This is just an alternate and simpler patch to one proposed by Andrew
  and Jeremy, who actually noticed the problem ]

Acked-by: Andrew Morton <akpm@osdl.org>
Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
This commit is contained in:
Linus Torvalds 2006-06-28 17:09:34 -07:00
parent 27d68a36c4
commit 0a6047eef1
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/vsprintf.c
View File

@ -489,7 +489,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
if (str < end)
*str = '\0';
else
*end = '\0';
end[-1] = '\0';
}
/* the trailing null byte doesn't count towards the total */
return str-buf;