X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/8950ac03f8fd0fb645c7d2374195ea884d091f72..0cd2f40764dd156de309f7536f3867968b6c0fdd:/log.c diff --git a/log.c b/log.c index 64e97b91..045f0317 100644 --- a/log.c +++ b/log.c @@ -286,10 +286,35 @@ void rprintf(enum logcode code, const char *format, ...) int len; va_start(ap, format); + /* Note: might return -1 */ len = vsnprintf(buf, sizeof(buf), format, ap); va_end(ap); - if (len > sizeof(buf)-1) exit_cleanup(RERR_MESSAGEIO); + /* Deal with buffer overruns. Instead of panicking, just + * truncate the resulting string. Note that some vsnprintf()s + * return -1 on truncation, e.g., glibc 2.0.6 and earlier. */ + if ((size_t) len > sizeof(buf)-1 || len < 0) { + const char ellipsis[] = "[...]"; + + /* Reset length, and zero-terminate the end of our buffer */ + len = sizeof(buf)-1; + buf[len] = '\0'; + + /* Copy the ellipsis to the end of the string, but give + * us one extra character: + * + * v--- null byte at buf[sizeof(buf)-1] + * abcdefghij0 + * -> abcd[...]00 <-- now two null bytes at end + * + * If the input format string has a trailing newline, + * we copy it into that extra null; if it doesn't, well, + * all we lose is one byte. */ + strncpy(buf+len-sizeof(ellipsis), ellipsis, sizeof(ellipsis)); + if (format[strlen(format)-1] == '\n') { + buf[len-1] = '\n'; + } + } rwrite(code, buf, len); } @@ -307,18 +332,21 @@ void rsyserr(enum logcode code, int errcode, const char *format, ...) { va_list ap; char buf[1024]; - int len, sys_len; + int len; + size_t sys_len; char *sysmsg; va_start(ap, format); + /* Note: might return <0 */ len = vsnprintf(buf, sizeof(buf), format, ap); va_end(ap); - if (len > sizeof(buf)-1) exit_cleanup(RERR_MESSAGEIO); + if ((size_t) len > sizeof(buf)-1) + exit_cleanup(RERR_MESSAGEIO); sysmsg = strerror(errcode); sys_len = strlen(sysmsg); - if (len + 3 + sys_len > sizeof(buf) - 1) + if ((size_t) len + 3 + sys_len > sizeof(buf) - 1) exit_cleanup(RERR_MESSAGEIO); strcpy(buf + len, ": "); @@ -375,12 +403,18 @@ static void log_formatted(enum logcode code, char buf[1024]; char buf2[1024]; char *p, *s, *n; - int l; + size_t l; extern struct stats stats; extern int am_sender; extern int am_daemon; int64 b; + /* We expand % codes one by one in place in buf. We don't + * copy in the terminating nul of the inserted strings, but + * rather keep going until we reach the nul of the format. + * Just to make sure we don't clobber that nul and therefore + * accidentally keep going, we zero the buffer now. */ + memset(buf, 0, sizeof buf); strlcpy(buf, format, sizeof(buf)); for (s=&buf[0]; @@ -438,21 +472,30 @@ static void log_formatted(enum logcode code, break; } - if (!n) continue; + /* n is the string to be inserted in place of this % + * code; l is its length not including the trailing + * NUL */ + if (!n) + continue; l = strlen(n); - if ((l-1) + ((int)(s - &buf[0])) > sizeof(buf)) { + if (l + ((int)(s - &buf[0])) >= sizeof(buf)) { rprintf(FERROR,"buffer overflow expanding %%%c - exiting\n", p[0]); exit_cleanup(RERR_MESSAGEIO); } + /* Shuffle the rest of the string along to make space for n */ if (l != 2) { memmove(s+(l-1), s+1, strlen(s+1)+1); } + + /* Copy in n but NOT its nul, because the format sting + * probably continues after this. */ memcpy(p, n, l); + /* Skip over inserted string; continue looking */ s = p+l; }