osmocom
/
libosmocore
mirror of https://gerrit.osmocom.org/libosmocore
11
0
Fork 0
Code Issues Releases Wiki Activity

logging/gsmtap: fix buffer overflow in _gsmtap_raw_output() 

According to the man page, vsnprintf() returns:

  - a negative value in case of error;
  - the number of characters written (excluding '\0');
  - the number of characters which *would have been written*
    if enough space had been available (excluding '\0').

We need to detect if the output was truncated, and properly
limit the amount of bytes to be reserved within a msgb.

Change-Id: Ifa822edf900ed925ba935c54a28c797c4657358a
This commit is contained in:
Vadim Yanitskiy 2018-12-28 14:34:52 +01:00
parent 470221575d
commit 785ecc9e50
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/logging_gsmtap.c
View File

@ -102,6 +102,12 @@ static void _gsmtap_raw_output(struct log_target *target, int subsys,
if (rc < 0) {
msgb_free(msg);
return;
} else if (rc >= msgb_tailroom(msg)) {
/* If the output was truncated, vsnprintf() returns the
* number of characters which would have been written
* if enough space had been available (excluding '\0'). */
rc = msgb_tailroom(msg);
msg->tail[rc - 1] = '\0';
}
msgb_put(msg, rc);