From mboxrd@z Thu Jan  1 00:00:00 1970
From: Porlock <porlock@mailinator.com>
To: 9fans@9fans.net
Message-ID: <583AF47A.4010400@mailinator.com>
Date: Sun, 27 Nov 2016 14:58:02 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
	Thunderbird/38.6.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="------------020602000601060907070904"
Subject: [9fans] snprintf buffer overrun
Topicbox-Message-UUID: af58035e-ead9-11e9-9d60-3106f5b1d025

This is a multi-part message in MIME format.
--------------020602000601060907070904
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit

Plan 9's implementation of the standard C functions snprintf and
vsnprintf have a buffer overrun bug.

If the buffer length equals the output length (without the terminating
null), then one too many characters is written to the buffer.

For example,
              snprintf(buf, 4, "ABCD");

will write 5 characters to buf.

Attached is a short program to illustrate this, which gives the
following output :-

% 8c printftest.c && 8l printftest.8
% ./8.out
  A   B   C   D   \0  *   *   *   *   *   *   *   *   *   *   *



--------------020602000601060907070904
Content-Type: text/x-csrc;
 name="printftest.c"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="printftest.c"

#include <u.h>
#include <libc.h>
#include <stdio.h>

void main()
{
    char buf[16];
    int i;
    memset(buf, '*', sizeof(buf));
    snprintf(buf, 4, "ABCD");
    for (i = 0; i < sizeof(buf); ++i) {
        if (buf[i])
            print("  %c ", buf[i]);
        else
            print("  \\0");
    }
    print("\n");
}

--------------020602000601060907070904--