The code to build the command string calls snprintf() in a loop, adding the return value to the start pointer, c. Since snprintf() can return more characters than it actually printed if it runs out of space, c can end up pointing past the end of the command string buffer on sebsequent loops. Since the size argument to snprintf() is unsigned, after an overflow it will be a huge number, instead of a negative one, meaning that it will continue printing past the end of the buffer. Check for overflow after each snprintf() to avoid this. Signed-off-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx> --- multipathd/main.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/multipathd/main.c b/multipathd/main.c index 5a408945..1032fb2a 100644 --- a/multipathd/main.c +++ b/multipathd/main.c @@ -3707,6 +3707,10 @@ main (int argc, char *argv[]) c += snprintf(c, s + CMDSIZE - c, "%s ", argv[optind]); optind++; + if (c >= s + CMDSIZE) { + fprintf(stderr, "multipathd command too large\n"); + exit(1); + } } c += snprintf(c, s + CMDSIZE - c, "\n"); } -- 2.17.2 -- dm-devel mailing list dm-devel@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/dm-devel