From bb22a51d4f21ac8b45d6a6a5140ad8edc919aaa6 Mon Sep 17 00:00:00 2001 From: bluhm Date: Thu, 20 Jan 2022 17:11:30 +0000 Subject: [PATCH] snprintf(9) allows NULL string if size is 0. But doing NULL pointer arithmetic is undefined behavior. Check that size is positive before adding to pointer. While there, use NUL char for string termination. found by kubsan; joint work with tobhe@; OK millert@ --- sys/kern/subr_prf.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c index e2ad6cd97b3..f1d74024e4f 100644 --- a/sys/kern/subr_prf.c +++ b/sys/kern/subr_prf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: subr_prf.c,v 1.104 2021/06/02 00:39:25 cheloha Exp $ */ +/* $OpenBSD: subr_prf.c,v 1.105 2022/01/20 17:11:30 bluhm Exp $ */ /* $NetBSD: subr_prf.c,v 1.45 1997/10/24 18:14:25 chuck Exp $ */ /*- @@ -570,14 +570,14 @@ snprintf(char *buf, size_t size, const char *fmt, ...) va_list ap; char *p; - p = buf + size - 1; - if (size < 1) - p = buf; + p = buf; + if (size > 0) + p += size - 1; va_start(ap, fmt); retval = kprintf(fmt, TOBUFONLY | TOCOUNT, &p, buf, ap); va_end(ap); if (size > 0) - *(p) = 0; /* null terminate */ + *p = '\0'; /* null terminate */ return(retval); } -- 2.20.1