Commit 0a6047ee authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Fix vsnprintf off-by-one bug 



The recent vsnprintf() fix introduced an off-by-one, and it's now
possible to overrun the target buffer by one byte.

The "end" pointer points to past the end of the buffer, so if we
have to truncate the result, it needs to be done though "end[-1]".

[ This is just an alternate and simpler patch to one proposed by Andrew
  and Jeremy, who actually noticed the problem ]

Acked-by: default avatarAndrew Morton <akpm@osdl.org>
Acked-by: default avatarJeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent 27d68a36

lib/vsprintf.c

+1 −1
Original line number Diff line number Diff line
@@ -489,7 +489,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args) 
		if (str < end)

			*str = '\0';

		else

			*end = '\0';

			end[-1] = '\0';

	}

	/* the trailing null byte doesn't count towards the total */

	return str-buf;

CRA Git | Maintained and supported by SUSTech CRA and CCSE