From d7103c887d2447b32b9a3fbb4d98c0411c429659 Mon Sep 17 00:00:00 2001
From: "Nicholas J. Kain" <nicholas@kain.us>
Date: Wed, 27 Jul 2011 00:42:16 -0400
Subject: [PATCH] Move the length check in ifchd_cmd_str() before the
 snprintf() call, so that failure cannot leave the ifchd_cmd in a state with
 unbalanced ':'.

---
 ndhc/ifchange.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ndhc/ifchange.c b/ndhc/ifchange.c
index e1d7a6b..56fd7d7 100644
--- a/ndhc/ifchange.c
+++ b/ndhc/ifchange.c
@@ -120,9 +120,9 @@ static int ifchd_cmd_str(char *buf, size_t buflen, char *optname,
                          uint8_t *optdata, ssize_t optlen)
 {
     char *obuf = buf;
-    buf += snprintf(buf, buflen, "%s:", optname);
-    if (buflen < (buf - obuf) + optlen + 2)
+    if (buflen < strlen(optname) + optlen + 3)
         return -1;
+    buf += snprintf(buf, buflen, "%s:", optname);
     memcpy(buf, optdata, optlen);
     buf[optlen] = ':';
     buf[optlen+1] = '\0';