Move the length check in ifchd_cmd_str() before the snprintf() call, so that

failure cannot leave the ifchd_cmd in a state with unbalanced ':'.
This commit is contained in:
Nicholas J. Kain 2011-07-27 00:42:16 -04:00
parent 7ef7fa8a8d
commit d7103c887d

View File

@ -120,9 +120,9 @@ static int ifchd_cmd_str(char *buf, size_t buflen, char *optname,
uint8_t *optdata, ssize_t optlen) uint8_t *optdata, ssize_t optlen)
{ {
char *obuf = buf; char *obuf = buf;
buf += snprintf(buf, buflen, "%s:", optname); if (buflen < strlen(optname) + optlen + 3)
if (buflen < (buf - obuf) + optlen + 2)
return -1; return -1;
buf += snprintf(buf, buflen, "%s:", optname);
memcpy(buf, optdata, optlen); memcpy(buf, optdata, optlen);
buf[optlen] = ':'; buf[optlen] = ':';
buf[optlen+1] = '\0'; buf[optlen+1] = '\0';