On Fri, Jul 23, 2010 at 10:48 AM, Joe Perches <joe@xxxxxxxxxxx> wrote: > > There are also many repeated uses of snprintf in kernel sources > that could similarly be a problem. > > bar += snprintf(foo + bar, ...) > bar += snprintf(foo + bar, ...) > or > foo += snprintf(foo, ...) > foo += snprintf(foo, ...) As long as the number of bytes is updated correctly, this won't be a security problem, although it can cause a (single) warning. The kernel vsnprintf does if (WARN_ON_ONCE((int) size < 0)) return 0; so if somebody overflows a buffer with multiple snprintf calls, it will all be ok as long as the buffer size thing is updated the natural way (possibly using pointer arithmetic, eg "end - bar"). Linus -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html