Commit 118917d6 authored Mar 28, 2020 by Fedor Tokarev Committed by Anna Schumaker May 27, 2020

net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'



Fix off-by-one issues in 'rpc_ntop6':
 - 'snprintf' returns the number of characters which would have been
   written if enough space had been available, excluding the terminating
   null byte. Thus, a return value of 'sizeof(scopebuf)' means that the
   last character was dropped.
 - 'strcat' adds a terminating null byte to the string, thus if len ==
   buflen, the null byte is written past the end of the buffer.

Signed-off-by: Fedor Tokarev <ftokarev@gmail.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>

parent 00a7a00e

net/sunrpc/addr.c

+2 −2

Original line number	Original line	Diff line number	Diff line
	@@ -82,11 +82,11 @@ static size_t rpc_ntop6(const struct sockaddr *sap,

	rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u",		rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u",
	IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id);		IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id);
	if (unlikely((size_t)rc > sizeof(scopebuf)))		if (unlikely((size_t)rc >= sizeof(scopebuf)))
	return 0;		return 0;

	len += rc;		len += rc;
	if (unlikely(len > buflen))		if (unlikely(len >= buflen))
	return 0;		return 0;

	strcat(buf, scopebuf);		strcat(buf, scopebuf);