[rtems commit] Don't use unsafe buffer operations

Sebastian Huber sebh at rtems.org
Mon Jan 20 07:54:04 UTC 2014


Module:    rtems
Branch:    master
Commit:    a32f996b6041ed60aec7ecd23cb750e98ba56e4f
Changeset: http://git.rtems.org/rtems/commit/?id=a32f996b6041ed60aec7ecd23cb750e98ba56e4f

Author:    Nick Withers <nick.withers at anu.edu.au>
Date:      Mon Jan 20 13:00:35 2014 +1100

Don't use unsafe buffer operations

Don't use unsafe buffer operations, averting (stack) buffer overflow
when the syslog message length (including Facility and Level encoding)
would exceed 199 characters

---

 cpukit/libnetworking/lib/syslog.c |   30 ++++++++++++------------------
 1 files changed, 12 insertions(+), 18 deletions(-)

diff --git a/cpukit/libnetworking/lib/syslog.c b/cpukit/libnetworking/lib/syslog.c
index c0e7270..066d7ab 100644
--- a/cpukit/libnetworking/lib/syslog.c
+++ b/cpukit/libnetworking/lib/syslog.c
@@ -49,7 +49,6 @@ void
 vsyslog (int pri, const char *fmt, va_list ap)
 {
 	int cnt;
-	char *cp;
 	char *msgp, cbuf[200];
 	int sent;
 
@@ -65,26 +64,21 @@ vsyslog (int pri, const char *fmt, va_list ap)
 	if ((pri & LOG_FACMASK) == 0)
 		pri |= LogFacility;
 
-	cnt = sprintf (cbuf, "<%d>", pri);
-	cp = msgp = cbuf + cnt;
-	if (LogTag) {
-		const char *lp = LogTag;
-		while ((*cp = *lp++) != '\0')
-			cp++;
-	}
-	if (LogStatus & LOG_PID) {
+	cnt = snprintf (cbuf, sizeof (cbuf), "<%d>", pri);
+	msgp = cbuf + (cnt < sizeof (cbuf) ? cnt : sizeof (cbuf) - 1);
+	if (LogTag && cnt < sizeof (cbuf) - 1)
+		cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, "%s", LogTag);
+	if (LogStatus & LOG_PID && cnt < sizeof (cbuf) - 1) {
 		rtems_id tid;
 		rtems_task_ident (RTEMS_SELF, 0, &tid);
-		cnt = sprintf (cp, "[%#lx]", (unsigned long)tid);
-		cp += cnt;
-	}
-	if (LogTag) {
-		*cp++ = ':';
-		*cp++ = ' ';
+		cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, "[%#lx]", (unsigned long)tid);
 	}
-	cnt = vsprintf (cp, fmt, ap);
-	cnt += cp - cbuf;
-	if (cbuf[cnt-1] == '\n')
+	if (LogTag && cnt < sizeof (cbuf) - 1)
+		cnt += snprintf (cbuf + cnt, sizeof (cbuf) - cnt, ": ");
+	cnt += vsnprintf (cbuf + cnt, sizeof (cbuf) - cnt, fmt, ap);
+	if (cnt > sizeof (cbuf) - 1)
+		cnt = sizeof (cbuf) - 1;
+	while (cnt > 0 && cbuf[cnt-1] == '\n')
 		cbuf[--cnt] = '\0';
 
 	if (LogStatus & LOG_PERROR)




More information about the vc mailing list