net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Fix off-by-one issues in 'rpc_ntop6':
- 'snprintf' returns the number of characters which would have been
written if enough space had been available, excluding the terminating
null byte. Thus, a return value of 'sizeof(scopebuf)' means that the
last character was dropped.
- 'strcat' adds a terminating null byte to the string, thus if len ==
buflen, the null byte is written past the end of the buffer.

Signed-off-by: Fedor Tokarev <ftokarev@gmail.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>

authored by

Fedor Tokarev and committed by

Anna Schumaker 5 years ago 118917d6 00a7a00e

+2 -2

1 changed file

expand all

net

sunrpc

addr.c

+2 -2

net/sunrpc/addr.c

··· 82 82 83 83 rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u", 84 84 IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id); 85 - if (unlikely((size_t)rc > sizeof(scopebuf))) 85 + if (unlikely((size_t)rc >= sizeof(scopebuf))) 86 86 return 0; 87 87 88 88 len += rc; 89 - if (unlikely(len > buflen)) 89 + if (unlikely(len >= buflen)) 90 90 return 0; 91 91 92 92 strcat(buf, scopebuf);