From: Florian Forster <octo@collectd.org>
Date: Sun, 14 Aug 2016 19:36:27 +0000 (+0200)
Subject: ceph plugin: Rewrite the BUFFER_ADD() macro.
X-Git-Tag: collectd-5.6.0~23
X-Git-Url: https://git.octo.it/?a=commitdiff_plain;h=9f0083d83892fc93f71b74ab1344e8bfa44f0259;p=collectd.git

ceph plugin: Rewrite the BUFFER_ADD() macro.

I'm hoping that this fixes a potential integer underrun that may occur
when unconditionally subtracting strlen(dest) from sizeof(dest).

Issue: #1835
---

diff --git a/src/ceph.c b/src/ceph.c
index 55cd64c6..5b792391 100644
--- a/src/ceph.c
+++ b/src/ceph.c
@@ -262,8 +262,11 @@ static int ceph_cb_boolean(void *ctx, int bool_val)
 
 #define BUFFER_ADD(dest, src) do { \
     size_t dest_size = sizeof (dest); \
-    strncat ((dest), (src), dest_size - strlen (dest)); \
-    (dest)[dest_size - 1] = '\0'; \
+    size_t dest_len = strlen (dest); \
+    if (dest_size > dest_len) { \
+        sstrncpy ((dest) + dest_len, (src), dest_size - dest_len); \
+    } \
+    (dest)[dest_size - 1] = 0; \
 } while (0)
 
 static int
@@ -271,11 +274,10 @@ ceph_cb_number(void *ctx, const char *number_val, yajl_len_t number_len)
 {
     yajl_struct *state = (yajl_struct*) ctx;
     char buffer[number_len+1];
-    char key[2 * DATA_MAX_NAME_LEN];
+    char key[2 * DATA_MAX_NAME_LEN] = { 0 };
     _Bool latency_type = 0;
     int status;
 
-    key[0] = '\0';
     memcpy(buffer, number_val, number_len);
     buffer[sizeof(buffer) - 1] = '\0';