summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorVadim Yanitskiy <axilirator@gmail.com>2018-12-28 14:34:52 +0100
committerVadim Yanitskiy <axilirator@gmail.com>2018-12-28 23:58:07 +0100
commit785ecc9e50f6da846089936f0683e2ef0a27e3f5 (patch)
tree2e7498a6b3575c2185e74a7026088f0b5fac5035 /src
parent470221575deaa14c670a5d4233df80119599141d (diff)
logging/gsmtap: fix buffer overflow in _gsmtap_raw_output()
According to the man page, vsnprintf() returns: - a negative value in case of error; - the number of characters written (excluding '\0'); - the number of characters which *would have been written* if enough space had been available (excluding '\0'). We need to detect if the output was truncated, and properly limit the amount of bytes to be reserved within a msgb. Change-Id: Ifa822edf900ed925ba935c54a28c797c4657358a
Diffstat (limited to 'src')
-rw-r--r--src/logging_gsmtap.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/logging_gsmtap.c b/src/logging_gsmtap.c
index f17f292e..98d2aad3 100644
--- a/src/logging_gsmtap.c
+++ b/src/logging_gsmtap.c
@@ -102,6 +102,12 @@ static void _gsmtap_raw_output(struct log_target *target, int subsys,
if (rc < 0) {
msgb_free(msg);
return;
+ } else if (rc >= msgb_tailroom(msg)) {
+ /* If the output was truncated, vsnprintf() returns the
+ * number of characters which would have been written
+ * if enough space had been available (excluding '\0'). */
+ rc = msgb_tailroom(msg);
+ msg->tail[rc - 1] = '\0';
}
msgb_put(msg, rc);