Hi Anton,
On 2/26/26 9:58 PM, Anton Moryakov wrote:
Use snprintf() instead of sprintf() when building the full config path
to prevent potential buffer overflow.
The function previously used sprintf() to concatenate SRCTREE environment
variable with the expanded config name into a fixed-size buffer
fullname[PATH_MAX+1]. Since getenv() can return arbitrarily long strings,
this could lead to writing beyond the buffer boundary (CWE-120).
Changes:
- Replace sprintf() with snprintf() with proper size checking
- Add validation of snprintf() return value to detect truncation
- Emit conf_warning() if the resulting path exceeds PATH_MAX
- Return the unprefixed name as fallback on error, preserving behavior
This fixes the static analyzer warning:
confdata.c:119: buffer overflow via getenv() tainted input
Reported-by: static analyzer Svace
Signed-off-by: Anton Moryakov <[email protected]>
Reviewed-by: Quentin Schulz <[email protected]>
Thanks!
Quentin
