Bug 11229 - off-by-one in snprintf() check
Summary: off-by-one in snprintf() check
Status: RESOLVED FIXED
Alias: None
Product: rsync
Classification: Unclassified
Component: core (show other bugs)
Version: 3.1.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Wayne Davison
QA Contact: Rsync QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-21 11:53 UTC by Stefan Behrens
Modified: 2015-04-22 17:33 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behrens 2015-04-21 11:53:03 UTC 
From 55639a2dbc7b2fd5bca9f7068ae0153627e8a7fa Mon Sep 17 00:00:00 2001
From: Stefan Behrens <sbehrens@giantdisaster.de>
Date: Tue, 21 Apr 2015 13:50:38 +0200
Subject: [PATCH] rsync: fix of-by-one in check of snprintf() result

Signed-off-by: Stefan Behrens <sbehrens@giantdisaster.de>
---
 io.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/io.c b/io.c
index b9a9bd082737..03e13d846fa0 100644
--- a/io.c
+++ b/io.c
@@ -2283,7 +2283,7 @@ void io_printf(int fd, const char *format, ...)
        if (len < 0)
                exit_cleanup(RERR_PROTOCOL);

-       if (len > (int)sizeof buf) {
+       if (len >= (int)sizeof buf) {
                rprintf(FERROR, "io_printf() was too long for the buffer.\n");
                exit_cleanup(RERR_PROTOCOL);
        }
--
1.7.7
Comment 1 Wayne Davison 2015-04-22 17:33:15 UTC 
Thanks for pointing that out, and for the patch.  I've applied it.

Note that it works better to attach the patch to the ticket instead of paste it, as that preserves the tabs, making it easier to apply the patch.