From: Eric Blake <eblake@redhat.com>
Date: Sat, 19 Mar 2011 02:19:31 +0000 (-0600)
Subject: logging: fix off-by-one bug
X-Git-Tag: CVE-2011-1486~27
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd5564f218f54bbca6aa57394b755f61ca224501;p=thirdparty%2Flibvirt.git

logging: fix off-by-one bug

Valgrind caught that our log wrap-around was going 1 past the end.
Regression introduced in commit b16f47a; previously the
buffer was static and size+1 bytes, but now it is dynamic and
exactly size bytes.

* src/util/logging.c (virLogStr): Don't write past end of log.
---

diff --git a/src/util/logging.c b/src/util/logging.c
index b972f8a796..f4910ad945 100644
--- a/src/util/logging.c
+++ b/src/util/logging.c
@@ -326,7 +326,7 @@ static void virLogStr(const char *str, int len) {
         return;
     if (len <= 0)
         len = strlen(str);
-    if (len > virLogSize)
+    if (len >= virLogSize)
         return;
     virLogLock();
 
@@ -336,13 +336,13 @@ static void virLogStr(const char *str, int len) {
     if (virLogEnd + len >= virLogSize) {
         tmp = virLogSize - virLogEnd;
         memcpy(&virLogBuffer[virLogEnd], str, tmp);
-        virLogBuffer[virLogSize] = 0;
         memcpy(&virLogBuffer[0], &str[tmp], len - tmp);
         virLogEnd = len - tmp;
     } else {
         memcpy(&virLogBuffer[virLogEnd], str, len);
         virLogEnd += len;
     }
+    virLogBuffer[virLogEnd] = 0;
     /*
      * Update the log length, and if full move the start index
      */