Fix vsnprintf off-by-one bug The recent vsnprintf() fix introduced an off-by-one, and it's now possible to overrun the target buffer by one byte. The "end" pointer points to past the end of the buffer, so if we have to truncate the result, it needs to be done though "end[-1]". [ This is just an alternate and simpler patch to one proposed by Andrew and Jeremy, who actually noticed the problem ] Acked-by: Andrew Morton <akpm@osdl.org> Acked-by: Jeremy Fitzhardinge <jeremy@goop.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

commit: 0a6047eef1c465c38aacfbdab193161b3f0cd144 [log] [tgz]
author: Linus Torvalds <torvalds@g5.osdl.org> Wed Jun 28 17:09:34 2006 -0700
committer: Linus Torvalds <torvalds@g5.osdl.org> Wed Jun 28 17:09:34 2006 -0700
tree: 3347213ad162a9570d6f4c5cffa1f8db7abb7cba
parent: 27d68a36c4f1ca2fc6be82620843493462c08c51 [diff] [blame]
diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 797428a..bed7229 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c

@@ -489,7 +489,7 @@
 		if (str < end)
 			*str = '\0';
 		else
-			*end = '\0';
+			end[-1] = '\0';
 	}
 	/* the trailing null byte doesn't count towards the total */
 	return str-buf;
commit	0a6047eef1c465c38aacfbdab193161b3f0cd144	[log] [tgz]
author	Linus Torvalds <torvalds@g5.osdl.org>	Wed Jun 28 17:09:34 2006 -0700
committer	Linus Torvalds <torvalds@g5.osdl.org>	Wed Jun 28 17:09:34 2006 -0700
tree	3347213ad162a9570d6f4c5cffa1f8db7abb7cba
parent	27d68a36c4f1ca2fc6be82620843493462c08c51 [diff] [blame]