Re #1703: fixing general bugs. First installment: correct handling of snprintf return value

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@4613 74dad513-b988-da41-8d7b-12977e46ad98

3 files changed, 14 insertions, 9 deletions

diff --git a/pjlib-util/src/pjlib-util/dns_dump.c b/pjlib-util/src/pjlib-util/dns_dump.c
index 95e58c79..c3c776ba 100644
--- a/pjlib-util/src/pjlib-util/dns_dump.c
+++ b/pjlib-util/src/pjlib-util/dns_dump.c
@@ -36,7 +36,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl)
 
     if (ttl > DAY) {
 	len = pj_ansi_snprintf(p, size, "%dd ", ttl/DAY);
-	if (len < 1)
+	if (len < 1 || len >= size)
 	    return "-err-";
 	size -= len;
 	p += len;
@@ -45,7 +45,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl)
 
     if (ttl > HOUR) {
 	len = pj_ansi_snprintf(p, size, "%dh ", ttl/HOUR);
-	if (len < 1)
+	if (len < 1 || len >= size)
 	    return "-err-";
 	size -= len;
 	p += len;
@@ -54,7 +54,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl)
 
     if (ttl > MINUTE) {
 	len = pj_ansi_snprintf(p, size, "%dm ", ttl/MINUTE);
-	if (len < 1)
+	if (len < 1 || len >= size)
 	    return "-err-";
 	size -= len;
 	p += len;
@@ -63,7 +63,7 @@ static const char *spell_ttl(char *buf, int size, unsigned ttl)
 
     if (ttl > 0) {
 	len = pj_ansi_snprintf(p, size, "%ds ", ttl);
-	if (len < 1)
+	if (len < 1 || len >= size)
 	    return "-err-";
 	size -= len;
 	p += len;
diff --git a/pjlib-util/src/pjlib-util/errno.c b/pjlib-util/src/pjlib-util/errno.c
index 1949d05e..29bd765b 100644
--- a/pjlib-util/src/pjlib-util/errno.c
+++ b/pjlib-util/src/pjlib-util/errno.c
@@ -166,7 +166,8 @@ pj_str_t pjlib_util_strerror(pj_status_t statcode,
     errstr.slen = pj_ansi_snprintf(buf, bufsize, 
 				   "Unknown pjlib-util error %d",
 				   statcode);
-
+    if (errstr.slen < 1 || errstr.slen >= (pj_ssize_t)bufsize)
+	errstr.slen = bufsize - 1;
     return errstr;
 }
 
diff --git a/pjlib-util/src/pjlib-util/http_client.c b/pjlib-util/src/pjlib-util/http_client.c
index 941683ef..ceb4c602 100644
--- a/pjlib-util/src/pjlib-util/http_client.c
+++ b/pjlib-util/src/pjlib-util/http_client.c
@@ -1358,6 +1358,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
 
     if (chal->qop.slen == 0) {
 	const pj_str_t STR_MD5 = { "MD5", 3 };
+	int max_len;
 
 	/* Server doesn't require quality of protection. */
 	auth_create_digest_response(&digest_response, cred,
@@ -1365,8 +1366,9 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
 				    &hreq->hurl.path, &chal->realm,
 				    &hreq->param.method);
 
+	max_len = len;
 	len = pj_ansi_snprintf(
-		phdr->value.ptr, len,
+		phdr->value.ptr, max_len,
 		"Digest username=\"%.*s\", "
 		"realm=\"%.*s\", "
 		"nonce=\"%.*s\", "
@@ -1379,7 +1381,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
 		STR_PREC(hreq->hurl.path),
 		STR_PREC(STR_MD5),
 		STR_PREC(digest_response));
-	if (len < 0)
+	if (len < 0 || len >= max_len)
 	    return PJ_ETOOSMALL;
 	phdr->value.slen = len;
 
@@ -1391,13 +1393,15 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
 	const pj_str_t qop = pj_str("auth");
 	const pj_str_t nc = pj_str("00000001");
 	const pj_str_t cnonce = pj_str("b39971");
+	int max_len;
 
 	auth_create_digest_response(&digest_response, cred,
 				    &chal->nonce, &nc, &cnonce, &qop,
 				    &hreq->hurl.path, &chal->realm,
 				    &hreq->param.method);
+	max_len = len;
 	len = pj_ansi_snprintf(
-		phdr->value.ptr, len,
+		phdr->value.ptr, max_len,
 		"Digest username=\"%.*s\", "
 		"realm=\"%.*s\", "
 		"nonce=\"%.*s\", "
@@ -1416,7 +1420,7 @@ static pj_status_t auth_respond_digest(pj_http_req *hreq)
 		STR_PREC(qop),
 		STR_PREC(nc),
 		STR_PREC(cnonce));
-	if (len < 0)
+	if (len < 0 || len >= max_len)
 	    return PJ_ETOOSMALL;
 	phdr->value.slen = len;