Fix message length bugs in libssh2_debug()

There was a buffer overflow waiting to happen when a debug message was longer than 1536 bytes. Thanks to Daniel who spotted that there was a problem with the message length passed to a trace handler also after commit 0f0652a3093111fc7dac0205fdcf8d02bf16e89f.
2010-06-23 11:16:02 +02:00 · 2010-06-23 11:16:02 +02:00 · 7861ae8e4e
--- a/src/misc.c
+++ b/src/misc.c
@ -369,7 +369,7 @@ void
 _libssh2_debug(LIBSSH2_SESSION * session, int context, const char *format, ...)
 {
    char buffer[1536];
-    int len;
+    int len, msglen, buflen = sizeof(buffer);
    va_list vargs;
    struct timeval now;
    static int firstsec;
@ -408,16 +408,23 @@ _libssh2_debug(LIBSSH2_SESSION * session, int context, const char *format, ...)
    }
    now.tv_sec -= firstsec;
-    len = snprintf(buffer, sizeof(buffer), "[libssh2] %d.%06d %s: ",
+    len = snprintf(buffer, buflen, "[libssh2] %d.%06d %s: ",
                   (int)now.tv_sec, (int)now.tv_usec, contexttext);
-    va_start(vargs, format);
+    if (len >= buflen)
-    len += vsnprintf(buffer + len, 1535 - len, format, vargs);
+        msglen = buflen - 1;
-    va_end(vargs);
+    else {
        buflen -= len;
        msglen = len;
        va_start(vargs, format);
        len = vsnprintf(buffer + msglen, buflen, format, vargs);
        va_end(vargs);
        msglen += len < buflen ? len : buflen - 1;
    }
    if (session->tracehandler)
        (session->tracehandler)(session, session->tracehandler_context, buffer,
-                                len + 1);
+                                msglen);
    else
        fprintf(stderr, "%s\n", buffer);
 }