The ontap prioritizer functions dump_cdb() and process_sg_error() both incorrectly set the snprintf() limits larger than the available space. Instead of multiplying the number of elements to print by the size of an element to calculate the limit, they multiplied the number of elements to print by the maximum number of elements that the buffer could hold. Fix this, and also make sure that the number of elements to print is less than or equal to the maximum number that the buffer can hold. Signed-off-by: Benjamin Marzinski <bmarzins@xxxxxxxxxx> --- libmultipath/prioritizers/ontap.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/libmultipath/prioritizers/ontap.c b/libmultipath/prioritizers/ontap.c index 117886ea..28e663ac 100644 --- a/libmultipath/prioritizers/ontap.c +++ b/libmultipath/prioritizers/ontap.c @@ -39,8 +39,8 @@ static void dump_cdb(unsigned char *cdb, int size) char * p = &buf[0]; condlog(0, "- SCSI CDB: "); - for (i=0; i<size; i++) { - p += snprintf(p, 10*(size-i), "0x%02x ", cdb[i]); + for (i = 0; i < size && i < 10; i++) { + p += snprintf(p, 5*(size-i), "0x%02x ", cdb[i]); } condlog(0, "%s", buf); } @@ -56,8 +56,8 @@ static void process_sg_error(struct sg_io_hdr *io_hdr) io_hdr->host_status, io_hdr->driver_status); if (io_hdr->sb_len_wr > 0) { condlog(0, "- SCSI sense data: "); - for (i=0; i<io_hdr->sb_len_wr; i++) { - p += snprintf(p, 128*(io_hdr->sb_len_wr-i), "0x%02x ", + for (i = 0; i < io_hdr->sb_len_wr && i < 128; i++) { + p += snprintf(p, 5*(io_hdr->sb_len_wr-i), "0x%02x ", io_hdr->sbp[i]); } condlog(0, "%s", buf); -- 2.45.0