On Sun, 13 Jun 2010 13:11:48 EDT, Chase Douglas said:
> Passing n > sizeof(string) to snprintf can cause a glibc buffer overflow
> condition. We know the exact size of nsecs_str, so use it instead of
> math that may overflow.

>  	/* Print nsecs (we don't want to exceed 7 numbers) */
>  	if ((s->len - len) < 7) {
> -		snprintf(nsecs_str, 8 - (s->len - len), "%03lu", nsecs_rem);
> +		snprintf(nsecs_str, sizeof(nsecs_str), "%03lu", nsecs_rem);

We only get into this code after we've checked that the length is under 7
characters.  How much overflow can happen as long as the sizeof(nsecs_str) is a
sane size (like at least 8 chars)?  Probably a better bet would be doing the
right thing and 'BUILD_BUG_ON(sizeof(nsecs_str) < 8);'?