From 7861ae8e4e4e2955ffbfdb89d8d87d0dddb82601 Mon Sep 17 00:00:00 2001
From: Peter Stuge <peter@stuge.se>
Date: Wed, 23 Jun 2010 11:16:02 +0200
Subject: [PATCH] Fix message length bugs in libssh2_debug()

There was a buffer overflow waiting to happen when a debug message was
longer than 1536 bytes.

Thanks to Daniel who spotted that there was a problem with the message
length passed to a trace handler also after commit
0f0652a3093111fc7dac0205fdcf8d02bf16e89f.
---
 src/misc.c | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/misc.c b/src/misc.c
index 404d218..e6c5e99 100644
--- a/src/misc.c
+++ b/src/misc.c
@@ -369,7 +369,7 @@ void
 _libssh2_debug(LIBSSH2_SESSION * session, int context, const char *format, ...)
 {
     char buffer[1536];
-    int len;
+    int len, msglen, buflen = sizeof(buffer);
     va_list vargs;
     struct timeval now;
     static int firstsec;
@@ -408,16 +408,23 @@ _libssh2_debug(LIBSSH2_SESSION * session, int context, const char *format, ...)
     }
     now.tv_sec -= firstsec;
 
-    len = snprintf(buffer, sizeof(buffer), "[libssh2] %d.%06d %s: ",
+    len = snprintf(buffer, buflen, "[libssh2] %d.%06d %s: ",
                    (int)now.tv_sec, (int)now.tv_usec, contexttext);
 
-    va_start(vargs, format);
-    len += vsnprintf(buffer + len, 1535 - len, format, vargs);
-    va_end(vargs);
+    if (len >= buflen)
+        msglen = buflen - 1;
+    else {
+        buflen -= len;
+        msglen = len;
+        va_start(vargs, format);
+        len = vsnprintf(buffer + msglen, buflen, format, vargs);
+        va_end(vargs);
+        msglen += len < buflen ? len : buflen - 1;
+    }
 
     if (session->tracehandler)
         (session->tracehandler)(session, session->tracehandler_context, buffer,
-                                len + 1);
+                                msglen);
     else
         fprintf(stderr, "%s\n", buffer);
 }