Blob Blame History Raw
From a26eb6eba3f318271d3fbd52152ad43acfc15393 Mon Sep 17 00:00:00 2001
From: Phil Sutter <phil@nwl.cc>
Date: Thu, 24 Mar 2022 18:14:50 +0100
Subject: [PATCH] Fix potential buffer overrun in snprintf() calls

When consecutively printing into the same buffer at increasing offset,
reduce buffer size passed to snprintf() to not defeat its size checking.

Signed-off-by: Phil Sutter <phil@nwl.cc>
(cherry picked from commit 0e05989f3247e9aef0d96aafc144b2d853732891)
---
 src/process.c | 2 +-
 src/queue.c   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/process.c b/src/process.c
index 3ddad5ffa7959..08598eeae84de 100644
--- a/src/process.c
+++ b/src/process.c
@@ -84,7 +84,7 @@ void fork_process_dump(int fd)
 	int size = 0;
 
 	list_for_each_entry(this, &process_list, head) {
-		size += snprintf(buf+size, sizeof(buf),
+		size += snprintf(buf + size, sizeof(buf) - size,
 				 "PID=%u type=%s\n",
 				 this->pid,
 				 this->type < CTD_PROC_MAX ?
diff --git a/src/queue.c b/src/queue.c
index 76425b18495b5..e94dc7c45d1fd 100644
--- a/src/queue.c
+++ b/src/queue.c
@@ -69,12 +69,12 @@ void queue_stats_show(int fd)
 	int size = 0;
 	char buf[512];
 
-	size += snprintf(buf+size, sizeof(buf),
+	size += snprintf(buf + size, sizeof(buf) - size,
 			 "allocated queue nodes:\t\t%12u\n\n",
 			 qobjects_num);
 
 	list_for_each_entry(this, &queue_list, list) {
-		size += snprintf(buf+size, sizeof(buf),
+		size += snprintf(buf + size, sizeof(buf) - size,
 				 "queue %s:\n"
 				 "current elements:\t\t%12u\n"
 				 "maximum elements:\t\t%12u\n"
-- 
2.34.1