From 7b68df22bf8604d632063c3d8384dbf7ecca08db Mon Sep 17 00:00:00 2001 From: Guilherme Amadio Date: Tue, 26 Nov 2024 14:14:29 +0100 Subject: [PATCH] [XrdDig] Fix potentially overflowing call to snprintf From the man page for snprintf: The functions snprintf() and vsnprintf() do not write more than size bytes (including the terminating null byte ('\0')). If the output was truncated due to this limit, then the return value is the number of characters (excluding the terminating null byte) *which would have been written to the final string if enough space had been available*. Thus, a return value of size or more means that the output was truncated. We therefore need to check if n > buffer size, and act accordingly. --- src/XrdDig/XrdDigAuth.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/XrdDig/XrdDigAuth.cc b/src/XrdDig/XrdDigAuth.cc index 6460ffe3160..bfbc8d32b11 100644 --- a/src/XrdDig/XrdDigAuth.cc +++ b/src/XrdDig/XrdDigAuth.cc @@ -278,8 +278,10 @@ bool XrdDigAuth::Parse(XrdOucStream &aFile, int lNum) return Failure(lNum, "Invalid entity type -", var); if (*(var+1) != '=' || !*(var+2)) return Failure(lNum, "Badly formed entity value in", var); - n = snprintf(bP, bLeft, "%s", var+2) + 1; - if ((bLeft -= n) <= 0) break; + n = snprintf(bP, bLeft, "%s", var+2); + if (n < 0 || n >= bLeft) break; + ++n; + bLeft -= n; if ((var = index(bP, '\\'))) Squash(var); aEnt.eP->eChk[eCode-eVec] = bP; bP += n; aOK = true;