From e2ff7caf9d5ce90682ecbab7cc92a716679e4e0d Mon Sep 17 00:00:00 2001 From: Pavel Punsky Date: Thu, 8 Sep 2022 02:24:28 -0700 Subject: [PATCH] Fix long log line printing (#974) `vsnprintf` will stop at the max buffer size as provided in its 2nd argument But the return value is `The number of characters that would have been written if n had been sufficiently large` meaning it can be larger than actual buffer size `fwrite` will actually use the larger, incorrect number and dump unrelated memory to log (and crash with high confidence) Test: - Query admin interface with super long path (>16KB) - crash - With the fix - no crash with the same input, log line cut off Co-authored-by: Pavel Punsky --- src/apps/common/ns_turn_utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/apps/common/ns_turn_utils.c b/src/apps/common/ns_turn_utils.c index dfb2042..321d332 100644 --- a/src/apps/common/ns_turn_utils.c +++ b/src/apps/common/ns_turn_utils.c @@ -539,7 +539,6 @@ void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...) /* Fix for Issue 24, raised by John Selbie: */ #define MAX_RTPPRINTF_BUFFER_SIZE (1024) char s[MAX_RTPPRINTF_BUFFER_SIZE+1]; -#undef MAX_RTPPRINTF_BUFFER_SIZE size_t so_far = 0; if (use_new_log_timestamp_format) { time_t now = time(NULL); @@ -549,6 +548,10 @@ void turn_log_func_default(TURN_LOG_LEVEL level, const char* format, ...) } so_far += snprintf(s + so_far, sizeof(s)-100, (level == TURN_LOG_LEVEL_ERROR) ? ": ERROR: " : ": "); so_far += vsnprintf(s + so_far,sizeof(s) - (so_far+1), format, args); + if(so_far > MAX_RTPPRINTF_BUFFER_SIZE+1) + { + so_far=MAX_RTPPRINTF_BUFFER_SIZE+1; + } if(!no_stdout_log) fwrite(s, so_far, 1, stdout); /* write to syslog or to log file */