[XrdDig] Fix potentially overflowing call to snprintf

From the man page for snprintf: The functions snprintf() and vsnprintf() do not write more than size bytes (including the terminating null byte ('\0')). If the output was truncated due to this limit, then the return value is the number of characters (excluding the terminating null byte) *which would have been written to the final string if enough space had been available*. Thus, a return value of size or more means that the output was truncated. We therefore need to check if n > buffer size, and act accordingly.
cern-eos · Nov 26, 2024 · 7b68df2 · 7b68df2
1 parent e1349ec
commit 7b68df2
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/src/XrdDig/XrdDigAuth.cc b/src/XrdDig/XrdDigAuth.cc
@@ -278,8 +278,10 @@ bool XrdDigAuth::Parse(XrdOucStream &aFile, int lNum)
             return Failure(lNum, "Invalid entity type -", var);
          if (*(var+1) != '=' || !*(var+2))
             return Failure(lNum, "Badly formed entity value in", var);
-         n = snprintf(bP, bLeft, "%s", var+2) + 1;
-         if ((bLeft -= n) <= 0) break;
+         n = snprintf(bP, bLeft, "%s", var+2);
+         if (n < 0 || n >= bLeft) break;
+         ++n;
+         bLeft -= n;
          if ((var = index(bP, '\\'))) Squash(var);
          aEnt.eP->eChk[eCode-eVec] = bP; bP += n;
          aOK = true;