[PATCH] vsprintf: fix possible NULL pointer deref in vsnprintf()
From: Sergey Shtylyov
Date: Thu Jan 05 2023 - 16:16:54 EST
In vsnprintf() etc, C99 allows the 'buf' argument to be NULL when the
'size' argument equals 0. Let us treat NULL passed as if the 'buf'
argument pointed to a 0-sized buffer, so that we can avoid a NULL pointer
dereference and still return the # of characters that would be written if
'buf' pointed to a valid buffer...
Found by Linux Verification Center (linuxtesting.org) with the SVACE static
analysis tool.
Signed-off-by: Sergey Shtylyov <s.shtylyov@xxxxxx>
---
This patch is against the 'master' branch of the PRINTK Group's repo...
lib/vsprintf.c | 9 +++++++++
1 file changed, 9 insertions(+)
Index: linux/lib/vsprintf.c
===================================================================
--- linux.orig/lib/vsprintf.c
+++ linux/lib/vsprintf.c
@@ -2738,6 +2738,15 @@ int vsnprintf(char *buf, size_t size, co
if (WARN_ON_ONCE(size > INT_MAX))
return 0;
+ /*
+ * C99 allows @buf to be NULL when @size is 0. We treat such NULL as if
+ * @buf pointed to 0-sized buffer, so we can both avoid a NULL pointer
+ * dereference and still return # of characters that would be written
+ * if @buf pointed to a valid buffer...
+ */
+ if (!buf)
+ size = 0;
+
str = buf;
end = buf + size;