[libnf_ct,4/8] Fix incorrect snprintf size calculation

Message ID	20200623033443.18184-5-dxld@darkboxed.org
State	Superseded
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: =?utf-8?q?Daniel_Gr=C3=B6ber?= <dxld@darkboxed.org> To: netfilter-devel@vger.kernel.org Cc: =?utf-8?q?Daniel_Gr=C3=B6ber?= <dxld@darkboxed.org> Subject: [libnf_ct PATCH 4/8] Fix incorrect snprintf size calculation Date: Tue, 23 Jun 2020 05:34:39 +0200 Message-Id: <20200623033443.18184-5-dxld@darkboxed.org> In-Reply-To: <20200623033443.18184-1-dxld@darkboxed.org> References: <20200623033443.18184-1-dxld@darkboxed.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit preview: The previous BUFFER_SIZE() call already updated the remaining 'len'. So there is no need to subtract 'size' again. While this just makes the buffer appear smaller than it is, which is mostly harmless, [...] Content analysis details: (-0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 NO_RELAYS Informational: message was not relayed via SMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	None \| expand [libnf_ct,3/8] Replace strncpy with snprintf to improve null byte handling [libnf_ct,4/8] Fix incorrect snprintf size calculation

Message ID

20200623033443.18184-5-dxld@darkboxed.org

State

Superseded

Delegated to:

Pablo Neira

Headers

From: =?utf-8?q?Daniel_Gr=C3=B6ber?= <dxld@darkboxed.org>
To: netfilter-devel@vger.kernel.org
Cc: =?utf-8?q?Daniel_Gr=C3=B6ber?= <dxld@darkboxed.org>
Subject: [libnf_ct PATCH 4/8] Fix incorrect snprintf size calculation
Date: Tue, 23 Jun 2020 05:34:39 +0200
Message-Id: <20200623033443.18184-5-dxld@darkboxed.org>
In-Reply-To: <20200623033443.18184-1-dxld@darkboxed.org>
References: <20200623033443.18184-1-dxld@darkboxed.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

None | expand

Commit Message

Daniel Gröber June 23, 2020, 3:34 a.m. UTC

The previous BUFFER_SIZE() call already updated the remaining 'len'. So
there is no need to subtract 'size' again. While this just makes the buffer
appear smaller than it is, which is mostly harmless, the subtraction might
underflow as 'size > len' is not checked like BUFFER_SIZE() does.

Signed-off-by: Daniel Gröber <dxld@darkboxed.org>
---
 src/conntrack/snprintf_default.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/conntrack/snprintf_default.c b/src/conntrack/snprintf_default.c
index 2f2f918..d00c5cb 100644
--- a/src/conntrack/snprintf_default.c
+++ b/src/conntrack/snprintf_default.c
@@ -108,7 +108,7 @@  static int __snprintf_address_ipv6(char *buf,
 	if (!inet_ntop(AF_INET6, &dst, tmp, sizeof(tmp)))
 		return -1;
 
-	ret = snprintf(buf+offset, len-size, "%s=%s ", dst_tag, tmp);
+	ret = snprintf(buf+offset, len, "%s=%s ", dst_tag, tmp);
 	BUFFER_SIZE(ret, size, len, offset);
 
 	return size;

[libnf_ct,4/8] Fix incorrect snprintf size calculation

Commit Message

Patch