Re: [PATCH] bootconfig: Fix off-by-one in xbc_node_compose_key_after()
From: Andrew Morton
Date: Thu Aug 13 2020 - 22:38:21 EST
On Thu, 13 Aug 2020 18:30:50 -0400 Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> From: Steven Rostedt (VMware) <rostedt@xxxxxxxxxxx>
>
> While reviewing some patches for bootconfig, I noticed the following
> code in xbc_node_compose_key_after():
>
> ret = snprintf(buf, size, "%s%s", xbc_node_get_data(node),
> depth ? "." : "");
> if (ret < 0)
> return ret;
> if (ret > size) {
> size = 0;
> } else {
> size -= ret;
> buf += ret;
> }
>
> But snprintf() returns the number of bytes that would be written, not
> the number of bytes that are written (ignoring the nul terminator).
> This means that if the number of non null bytes written were to equal
> size, then the nul byte, which snprintf() always adds, will overwrite
> that last byte.
>
> ret = snprintf(buf, 5, "hello");
> printf("buf = '%s'\n", buf);
> printf("ret = %d\n", ret);
>
> produces:
>
> buf = 'hell'
> ret = 5
>
> The string was truncated without ret being greater than 5.
> Test (ret >= size) for overwrite.
What are the end-user visible effects of the bug? IOW, why cc:stable?