+2001-01-24 Kevin L. Mitchell <klmitch@mit.edu>
+
+ * ircd/msgq.c: ircd_vsnprintf() returns the number of bytes that
+ it would have written; upper-bound the number to prevent overflows
+ by proxy; also, tune buffer size given to ircd_vsnprintf() to take
+ into account the fact that ircd_vsnprintf() already takes the
+ terminal \0 into account
+
2001-01-22 Kevin L. Mitchell <klmitch@mit.edu>
* ircd/msgq.c: add an incredibly ugly hack to attempt to track
mb->ref = 1;
/* fill the buffer */
- mb->length = ircd_vsnprintf(dest, mb->msg, sizeof(mb->msg) - 3, format, vl);
+ mb->length = ircd_vsnprintf(dest, mb->msg, sizeof(mb->msg) - 2, format, vl);
+
+ if (mb->length > sizeof(mb->msg) - 3)
+ mb->length = sizeof(mb->msg) - 3;
mb->msg[mb->length++] = '\r'; /* add \r\n to buffer */
mb->msg[mb->length++] = '\n';
va_start(vl, format); /* append to the buffer */
mb->length += ircd_vsnprintf(dest, mb->msg + mb->length,
- sizeof(mb->msg) - 3 - mb->length, format, vl);
+ sizeof(mb->msg) - 2 - mb->length, format, vl);
va_end(vl);
+ if (mb->length > sizeof(mb->msg) - 3)
+ mb->length = sizeof(mb->msg) - 3;
+
mb->msg[mb->length++] = '\r'; /* add \r\n to buffer */
mb->msg[mb->length++] = '\n';
mb->msg[mb->length] = '\0'; /* not strictly necessary */