Blame SOURCES/conman-0.2.7-hack-around-overflow-issue.patch
|
|
bd2909 |
diff --git a/server-esc.c b/server-esc.c
|
|
|
bd2909 |
index 3616f67..bae7b8f 100644
|
|
|
bd2909 |
--- a/server-esc.c
|
|
|
bd2909 |
+++ b/server-esc.c
|
|
|
bd2909 |
@@ -333,7 +333,7 @@ static void perform_log_replay(obj_t *client)
|
|
|
bd2909 |
p = logfile->bufInPtr - n;
|
|
|
bd2909 |
if (p >= logfile->buf) { /* no wrap needed */
|
|
|
bd2909 |
memcpy(ptr, p, n);
|
|
|
bd2909 |
- ptr += n;
|
|
|
bd2909 |
+ ptr = (ptr - buf + n > MAX_BUF_SIZE - 1 ? buf + MAX_BUF_SIZE - 1 : ptr + n);
|
|
|
bd2909 |
}
|
|
|
bd2909 |
else { /* wrap backwards */
|
|
|
bd2909 |
m = logfile->buf - p;
|
|
|
bd2909 |
@@ -351,6 +351,9 @@ static void perform_log_replay(obj_t *client)
|
|
|
bd2909 |
* for this string. We could get away with just sprintf() here.
|
|
|
bd2909 |
*/
|
|
|
bd2909 |
len = &buf[sizeof(buf)] - ptr;
|
|
|
bd2909 |
+ if( len > sizeof(buf) - 1 ) { /* Ensure buffer overflow cannot happen */
|
|
|
bd2909 |
+ len = sizeof(buf) - 1;
|
|
|
bd2909 |
+ }
|
|
|
bd2909 |
n = snprintf((char *) ptr, len, "%sEnd log replay of console [%s]%s",
|
|
|
bd2909 |
CONMAN_MSG_PREFIX, console->name, CONMAN_MSG_SUFFIX);
|
|
|
bd2909 |
assert((n >= 0) && (n < len));
|