lib: fix infinite loop in __darr_in_vsprintf

`darr_avail` returns the available capacity excluding the already existing terminating NULL byte. Take this into account when using `darr_avail`. Otherwise, if the error length is a power of 2, the capacity is never enough and the function stucks in an infinite loop. Signed-off-by: Igor Ryzhov <[email protected]>
FRRouting · Mar 5, 2024 · cb6032d · cb6032d
1 parent ee0c1cc
commit cb6032d
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/lib/darr.c b/lib/darr.c
@@ -70,11 +70,11 @@ char *__darr_in_vsprintf(char **sp, bool concat, const char *fmt, va_list ap)
 		*darr_append(*sp) = 0;
 again:
 	va_copy(ap_copy, ap);
-	len = vsnprintf(darr_last(*sp), darr_avail(*sp), fmt, ap_copy);
+	len = vsnprintf(darr_last(*sp), darr_avail(*sp) + 1, fmt, ap_copy);
 	va_end(ap_copy);
 	if (len < 0)
 		darr_in_strcat(*sp, fmt);
-	else if ((size_t)len < darr_avail(*sp))
+	else if ((size_t)len <= darr_avail(*sp))
 		_darr_len(*sp) += len;
 	else {
 		darr_ensure_cap(*sp, darr_len(*sp) + (size_t)len);