From e16ab7b89948c24a2c47652e8eb1a817a4b1424c Mon Sep 17 00:00:00 2001 From: Guus Sliepen Date: Thu, 23 Jun 2016 15:26:58 +0200 Subject: [PATCH] Force nul-termination of strings after vsnprintf(). Apparently, on Windows this function might not always be properly terminated. --- src/bsd/tunemu.c | 2 +- src/dropin.c | 1 + src/logger.c | 8 +++++--- src/protocol.c | 5 +++-- src/tincctl.c | 3 ++- 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/src/bsd/tunemu.c b/src/bsd/tunemu.c index 1ce90074..d2b9f3d9 100644 --- a/src/bsd/tunemu.c +++ b/src/bsd/tunemu.c @@ -87,7 +87,7 @@ static void tun_error(char *format, ...) { va_list vl; va_start(vl, format); - vsnprintf(tunemu_error, ERROR_BUFFER_SIZE, format, vl); + vsnprintf(tunemu_error, sizeof tunemu_error, format, vl); va_end(vl); } diff --git a/src/dropin.c b/src/dropin.c index fe3b7ef2..c7b558a4 100644 --- a/src/dropin.c +++ b/src/dropin.c @@ -106,6 +106,7 @@ int vasprintf(char **buf, const char *fmt, va_list ap) { va_copy(aq, ap); status = vsnprintf(*buf, len, fmt, aq); + buf[len - 1] = 0; va_end(aq); if(status >= 0) diff --git a/src/logger.c b/src/logger.c index e46d926f..6028e3d0 100644 --- a/src/logger.c +++ b/src/logger.c @@ -110,20 +110,22 @@ void logger(int level, int priority, const char *format, ...) { va_start(ap, format); int len = vsnprintf(message, sizeof message, format, ap); + message[sizeof message - 1] = 0; va_end(ap); - if(len > 0 && len < sizeof message && message[len - 1] == '\n') + if(len > 0 && len < sizeof message - 1 && message[len - 1] == '\n') message[len - 1] = 0; real_logger(level, priority, message); } static void sptps_logger(sptps_t *s, int s_errno, const char *format, va_list ap) { - char message[1024] = ""; + char message[1024]; size_t msglen = sizeof message; int len = vsnprintf(message, msglen, format, ap); - if(len > 0 && len < sizeof message) { + message[sizeof message - 1] = 0; + if(len > 0 && len < sizeof message - 1) { if(message[len - 1] == '\n') message[--len] = 0; diff --git a/src/protocol.c b/src/protocol.c index f533a932..b9abccc3 100644 --- a/src/protocol.c +++ b/src/protocol.c @@ -72,10 +72,11 @@ bool send_request(connection_t *c, const char *format, ...) { input buffer anyway */ va_start(args, format); - len = vsnprintf(request, MAXBUFSIZE, format, args); + len = vsnprintf(request, sizeof request, format, args); + request[sizeof request - 1] = 0; va_end(args); - if(len < 0 || len > MAXBUFSIZE - 1) { + if(len < 0 || len > sizeof request - 1) { logger(DEBUG_ALWAYS, LOG_ERR, "Output buffer overflow while sending request to %s (%s)", c->name, c->hostname); return false; diff --git a/src/tincctl.c b/src/tincctl.c index 9f9df6f6..a0a7633d 100644 --- a/src/tincctl.c +++ b/src/tincctl.c @@ -560,6 +560,7 @@ bool sendline(int fd, char *format, ...) { va_start(ap, format); blen = vsnprintf(buffer, sizeof buffer, format, ap); + buffer[sizeof buffer - 1] = 0; va_end(ap); if(blen < 1 || blen >= sizeof buffer) @@ -885,7 +886,7 @@ static int cmd_start(int argc, char *argv[]) { if(!pid) { close(pfd[0]); - char buf[100] = ""; + char buf[100]; snprintf(buf, sizeof buf, "%d", pfd[1]); setenv("TINC_UMBILICAL", buf, true); exit(execvp(c, nargv));