From: Willy Tarreau <w@1wt.eu>
Date: Wed, 25 Jul 2007 12:38:45 +0000 (+0200)
Subject: [MEDIUM] ensure we never overflow in chunk_printf()
X-Git-Tag: v1.3.13~42
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dceaa0894bd73c19d0d7130f571ac869b52f339d;p=thirdparty%2Fhaproxy.git

[MEDIUM] ensure we never overflow in chunk_printf()

The result of the vsnprintf() called in chunk_printf() must be checked,
and should be added only if lower than the requested size. We simply
return zero if we cannot write the chunk.
---

diff --git a/src/buffers.c b/src/buffers.c
index 658539c3ad..8b2c4d33eb 100644
--- a/src/buffers.c
+++ b/src/buffers.c
@@ -193,9 +193,15 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len)
 int chunk_printf(struct chunk *chk, int size, const char *fmt, ...)
 {
 	va_list argp;
+	int ret;
 
 	va_start(argp, fmt);
-	chk->len += vsnprintf(chk->str + chk->len, size - chk->len, fmt, argp);
+	ret = vsnprintf(chk->str + chk->len, size - chk->len, fmt, argp);
+	if (ret >= size - chk->len)
+		/* do not copy anything in case of truncation */
+		chk->str[chk->len] = 0;
+	else
+		chk->len += ret;
 	va_end(argp);
 	return chk->len;
 }