From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001

From: Phil Sutter <phil@nwl.cc>

Date: Thu, 24 Mar 2022 18:14:50 +0100

Subject: [PATCH] Fix potential buffer overrun in snprintf() calls

When consecutively printing into the same buffer at increasing offset,

reduce buffer size passed to snprintf() to not defeat its size checking.

Signed-off-by: Phil Sutter <phil@nwl.cc>

(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891)

---

 src/process.c | 2 +-

 src/queue.c   | 4 ++--

 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/process.c b/src/process.c

index 3ddad5ffa7959..08598eeae84de 100644

--- a/src/process.c

+++ b/src/process.c

@@ -84,7 +84,7 @@ void fork_process_dump(int fd)

 	int size = 0;

 	list_for_each_entry(this, &process_list, head) {

-		size += snprintf(buf+size, sizeof(buf),

+		size += snprintf(buf + size, sizeof(buf) - size,

 				 "PID=%u type=%s\n",

 				 this->pid,

 				 this->type < CTD_PROC_MAX ?

diff --git a/src/queue.c b/src/queue.c

index 76425b18495b5..e94dc7c45d1fd 100644

--- a/src/queue.c

+++ b/src/queue.c

@@ -69,12 +69,12 @@ void queue_stats_show(int fd)

 	int size = 0;

 	char buf[512];

-	size += snprintf(buf+size, sizeof(buf),

+	size += snprintf(buf + size, sizeof(buf) - size,

 			 "allocated queue nodes:\t\t%12u\n\n",

 			 qobjects_num);

 	list_for_each_entry(this, &queue_list, list) {

-		size += snprintf(buf+size, sizeof(buf),

+		size += snprintf(buf + size, sizeof(buf) - size,

 				 "queue %s:\n"

 				 "current elements:\t\t%12u\n"

 				 "maximum elements:\t\t%12u\n"

-- 

2.34.1