logging/gsmtap: fix buffer overflow in _gsmtap_raw_output() According to the man page, vsnprintf() returns: - a negative value in case of error; - the number of characters written (excluding '\0'); - the number of characters which *would have been written* if enough space had been available (excluding '\0'). We need to detect if the output was truncated, and properly limit the amount of bytes to be reserved within a msgb. Change-Id: Ifa822edf900ed925ba935c54a28c797c4657358a

commit: 785ecc9e50f6da846089936f0683e2ef0a27e3f5 [log] [tgz]
author: Vadim Yanitskiy <axilirator@gmail.com> Fri Dec 28 14:34:52 2018 +0100
committer: Vadim Yanitskiy <axilirator@gmail.com> Fri Dec 28 23:58:07 2018 +0100
tree: 2e7498a6b3575c2185e74a7026088f0b5fac5035
parent: 470221575deaa14c670a5d4233df80119599141d [diff] [blame]
diff --git a/src/logging_gsmtap.c b/src/logging_gsmtap.c
index f17f292..98d2aad 100644
--- a/src/logging_gsmtap.c
+++ b/src/logging_gsmtap.c

@@ -102,6 +102,12 @@
 	if (rc < 0) {
 		msgb_free(msg);
 		return;
+	} else if (rc >= msgb_tailroom(msg)) {
+		/* If the output was truncated, vsnprintf() returns the
+		 * number of characters which would have been written
+		 * if enough space had been available (excluding '\0'). */
+		rc = msgb_tailroom(msg);
+		msg->tail[rc - 1]  = '\0';
 	}
 	msgb_put(msg, rc);
commit	785ecc9e50f6da846089936f0683e2ef0a27e3f5	[log] [tgz]
author	Vadim Yanitskiy <axilirator@gmail.com>	Fri Dec 28 14:34:52 2018 +0100
committer	Vadim Yanitskiy <axilirator@gmail.com>	Fri Dec 28 23:58:07 2018 +0100
tree	2e7498a6b3575c2185e74a7026088f0b5fac5035
parent	470221575deaa14c670a5d4233df80119599141d [diff] [blame]