Commit 73a20c31 authored by Fedor Tokarev's avatar Fedor Tokarev Committed by Kelsey Skunberg

net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'

BugLink: https://bugs.launchpad.net/bugs/1885932

[ Upstream commit 118917d6 ]

Fix off-by-one issues in 'rpc_ntop6':
 - 'snprintf' returns the number of characters which would have been
   written if enough space had been available, excluding the terminating
   null byte. Thus, a return value of 'sizeof(scopebuf)' means that the
   last character was dropped.
 - 'strcat' adds a terminating null byte to the string, thus if len ==
   buflen, the null byte is written past the end of the buffer.
Signed-off-by: default avatarFedor Tokarev <ftokarev@gmail.com>
Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
Signed-off-by: default avatarKamal Mostafa <kamal@canonical.com>
Signed-off-by: default avatarKelsey Skunberg <kelsey.skunberg@canonical.com>
parent d74a68da
......@@ -81,11 +81,11 @@ static size_t rpc_ntop6(const struct sockaddr *sap,
rc = snprintf(scopebuf, sizeof(scopebuf), "%c%u",
IPV6_SCOPE_DELIMITER, sin6->sin6_scope_id);
if (unlikely((size_t)rc > sizeof(scopebuf)))
if (unlikely((size_t)rc >= sizeof(scopebuf)))
return 0;
len += rc;
if (unlikely(len > buflen))
if (unlikely(len >= buflen))
return 0;
strcat(buf, scopebuf);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment