logging/gsmtap: fix buffer overflow in _gsmtap_raw_output()

According to the man page, vsnprintf() returns: - a negative value in case of error; - the number of characters written (excluding '\0'); - the number of characters which *would have been written* if enough space had been available (excluding '\0'). We need to detect if the output was truncated, and properly limit the amount of bytes to be reserved within a msgb. Change-Id: Ifa822edf900ed925ba935c54a28c797c4657358a
author: Vadim Yanitskiy <axilirator@gmail.com> 2018-12-28 14:34:52 +0100
committer: Vadim Yanitskiy <axilirator@gmail.com> 2018-12-28 23:58:07 +0100
commit: 785ecc9e50f6da846089936f0683e2ef0a27e3f5 (patch)
tree: 2e7498a6b3575c2185e74a7026088f0b5fac5035 /src
parent: 470221575deaa14c670a5d4233df80119599141d (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/src/logging_gsmtap.c b/src/logging_gsmtap.c
index f17f292e..98d2aad3 100644
--- a/src/logging_gsmtap.c
+++ b/src/logging_gsmtap.c
@@ -102,6 +102,12 @@ static void _gsmtap_raw_output(struct log_target *target, int subsys,
 	if (rc < 0) {
 		msgb_free(msg);
 		return;
+	} else if (rc >= msgb_tailroom(msg)) {
+		/* If the output was truncated, vsnprintf() returns the
+		 * number of characters which would have been written
+		 * if enough space had been available (excluding '\0'). */
+		rc = msgb_tailroom(msg);
+		msg->tail[rc - 1]  = '\0';
 	}
 	msgb_put(msg, rc);
author	Vadim Yanitskiy <axilirator@gmail.com>	2018-12-28 14:34:52 +0100
committer	Vadim Yanitskiy <axilirator@gmail.com>	2018-12-28 23:58:07 +0100
commit	785ecc9e50f6da846089936f0683e2ef0a27e3f5 (patch)
tree	2e7498a6b3575c2185e74a7026088f0b5fac5035 /src
parent	470221575deaa14c670a5d4233df80119599141d (diff)