Skip to content

Commit

Permalink
Fix vsnprintf off-by-one bug
Browse files Browse the repository at this point in the history 
The recent vsnprintf() fix introduced an off-by-one, and it's now
possible to overrun the target buffer by one byte.

The "end" pointer points to past the end of the buffer, so if we
have to truncate the result, it needs to be done though "end[-1]".

[ This is just an alternate and simpler patch to one proposed by Andrew
  and Jeremy, who actually noticed the problem ]

Acked-by: Andrew Morton <akpm@osdl.org>
Acked-by: Jeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
  • Loading branch information
Linus Torvalds committed Jun 29, 2006
1 parent 27d68a3 commit 0a6047e
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/vsprintf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -489,7 +489,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args)
if (str < end)
*str = '\0';
else
*end = '\0';
end[-1] = '\0';
}
/* the trailing null byte doesn't count towards the total */
return str-buf;
Expand Down

0 comments on commit 0a6047e

Please sign in to comment.