libosmo-netif[master]: osmux: Fix buffer overflow in osmux_snprintf

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/gerrit-log@lists.osmocom.org/.

Holger Freyther gerrit-no-reply at lists.osmocom.org
Tue Aug 15 04:15:13 UTC 2017


Patch Set 1:

Ouch! I didn't see that when reviewing the original. But the result of sprintf might be negative as well?

But I think there might be more errors in this routine...

* size is of type size_t but snprint returns int
* snprintf returns the number of characters that would have been printed (or error)
(on OSX:
 
" except for
     snprintf() and vsnprintf(), which return the number of characters that would have been printed if the size were unlimite"

let's say we have...

size_t size = 8
int ret = snprintf(buf, size, "%s", "123456890");
size -= ret;

=> now size_t should be very big or do I miss something?

-- 
To view, visit https://gerrit.osmocom.org/3521
To unsubscribe, visit https://gerrit.osmocom.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I8a7cc422c181c0c5712ac8976a5be5f0ad44a9c0
Gerrit-PatchSet: 1
Gerrit-Project: libosmo-netif
Gerrit-Branch: master
Gerrit-Owner: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-Reviewer: Harald Welte <laforge at gnumonks.org>
Gerrit-Reviewer: Holger Freyther <holger at freyther.de>
Gerrit-Reviewer: Jenkins Builder
Gerrit-Reviewer: Pau Espin Pedrol <pespin at sysmocom.de>
Gerrit-HasComments: No



More information about the gerrit-log mailing list