From: David Laight <david.laight.linux@gmail.com>
Date: Mon, 2 Mar 2026 10:17:58 +0000 (+0000)
Subject: selftests/nolibc: Check that snprintf() doesn't write beyond the buffer end
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4ea2dedd502e2b4bfa8a47f2aaaaac4eab01e00d;p=thirdparty%2Fkernel%2Flinux.git

selftests/nolibc: Check that snprintf() doesn't write beyond the buffer end

Fill buf[] with known data and check the vsnprintf() doesn't write
beyond the specified buffer length.

Would have picked up the bug in field padding.

Signed-off-by: David Laight <david.laight.linux@gmail.com>
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://patch.msgid.link/20260302101815.3043-7-david.laight.linux@gmail.com
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
---

diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
index 154cc5711a4c9..5dc0edfe8d9aa 100644
--- a/tools/testing/selftests/nolibc/nolibc-test.c
+++ b/tools/testing/selftests/nolibc/nolibc-test.c
@@ -1679,6 +1679,10 @@ static int expect_vfprintf(int llen, const char *expected, const char *fmt, ...)
 	va_list args;
 	ssize_t w, expected_len;
 
+	/* Fill and terminate buf[] to check for overlong/absent writes */
+	memset(buf, 0xa5, sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = 0;
+
 	va_start(args, fmt);
 	/* Limit buffer length to test truncation */
 	w = vsnprintf(buf, VFPRINTF_LEN + 1, fmt, args);
@@ -1710,6 +1714,15 @@ static int expect_vfprintf(int llen, const char *expected, const char *fmt, ...)
 		return 1;
 	}
 
+	/* Check for any overwrites after the actual data. */
+	while (++cmp_len < sizeof(buf) - 1) {
+		if ((unsigned char)buf[cmp_len] != 0xa5) {
+			llen += printf(" overwrote buf[%d] with 0x%x", cmp_len, buf[cmp_len]);
+			result(llen, FAIL);
+			return 1;
+		}
+	}
+
 	result(llen, OK);
 	return 0;
 }