From 785ecc9e50f6da846089936f0683e2ef0a27e3f5 Mon Sep 17 00:00:00 2001 From: Vadim Yanitskiy Date: Fri, 28 Dec 2018 14:34:52 +0100 Subject: logging/gsmtap: fix buffer overflow in _gsmtap_raw_output() According to the man page, vsnprintf() returns: - a negative value in case of error; - the number of characters written (excluding '\0'); - the number of characters which *would have been written* if enough space had been available (excluding '\0'). We need to detect if the output was truncated, and properly limit the amount of bytes to be reserved within a msgb. Change-Id: Ifa822edf900ed925ba935c54a28c797c4657358a --- src/logging_gsmtap.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'src') diff --git a/src/logging_gsmtap.c b/src/logging_gsmtap.c index f17f292e..98d2aad3 100644 --- a/src/logging_gsmtap.c +++ b/src/logging_gsmtap.c @@ -102,6 +102,12 @@ static void _gsmtap_raw_output(struct log_target *target, int subsys, if (rc < 0) { msgb_free(msg); return; + } else if (rc >= msgb_tailroom(msg)) { + /* If the output was truncated, vsnprintf() returns the + * number of characters which would have been written + * if enough space had been available (excluding '\0'). */ + rc = msgb_tailroom(msg); + msg->tail[rc - 1] = '\0'; } msgb_put(msg, rc); -- cgit v1.2.3