From: bluhm <bluhm@openbsd.org>
Date: Thu, 20 Jan 2022 17:11:30 +0000 (+0000)
Subject: snprintf(9) allows NULL string if size is 0.  But doing NULL pointer
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=bb22a51d4f21ac8b45d6a6a5140ad8edc919aaa6;p=openbsd

snprintf(9) allows NULL string if size is 0.  But doing NULL pointer
arithmetic is undefined behavior.  Check that size is positive
before adding to pointer.  While there, use NUL char for string
termination.
found by kubsan; joint work with tobhe@; OK millert@
---

diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index e2ad6cd97b3..f1d74024e4f 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: subr_prf.c,v 1.104 2021/06/02 00:39:25 cheloha Exp $	*/
+/*	$OpenBSD: subr_prf.c,v 1.105 2022/01/20 17:11:30 bluhm Exp $	*/
 /*	$NetBSD: subr_prf.c,v 1.45 1997/10/24 18:14:25 chuck Exp $	*/
 
 /*-
@@ -570,14 +570,14 @@ snprintf(char *buf, size_t size, const char *fmt, ...)
 	va_list ap;
 	char *p;
 
-	p = buf + size - 1;
-	if (size < 1)
-		p = buf;
+	p = buf;
+	if (size > 0)
+		p += size - 1;
 	va_start(ap, fmt);
 	retval = kprintf(fmt, TOBUFONLY | TOCOUNT, &p, buf, ap);
 	va_end(ap);
 	if (size > 0)
-		*(p) = 0;	/* null terminate */
+		*p = '\0';	/* null terminate */
 	return(retval);
 }