From 7ee27418a7d38542577c48abc43df57c0d3e69a5 Mon Sep 17 00:00:00 2001 From: Maria Matejka Date: Thu, 14 Nov 2024 23:34:28 +0100 Subject: [PATCH] Printf: impossible buffer overflow fix When printing near the end of the buffer, there was an overflow in two cases: (1) %c and size is zero (2) %1N, %1I, %1I4, %1I6 (auto-fill field_width for Net or IP), size is more than actual length of the net/ip but less than the auto-filled field width. Manual code examination showed that nothing could have ever triggered this behavior. All older versions of BIRD, including BIRD 3 development versions, are totally safe. This exact overflow has been found while implementing a new feature in later commits. --- lib/printf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/printf.c b/lib/printf.c index 318e683c..0d2f95e8 100644 --- a/lib/printf.c +++ b/lib/printf.c @@ -169,9 +169,9 @@ int bvsnprintf(char *buf, int size, const char *fmt, va_list args) int qualifier; /* 'h' or 'l' for integer fields */ for (start=str=buf ; *fmt ; ++fmt, size-=(str-start), start=str) { + if (!size) + return -1; if (*fmt != '%') { - if (!size) - return -1; *str++ = *fmt; continue; } @@ -272,7 +272,7 @@ int bvsnprintf(char *buf, int size, const char *fmt, va_list args) len = strlen(s); if (precision >= 0 && len > precision) len = precision; - if (len > size) + if ((len > size) || (field_width > size)) return -1; if (!(flags & LEFT))