From 0fc770166c0592232bb5d31ad90f37948d35228b Mon Sep 17 00:00:00 2001
From: Michael Davidsaver <mdavidsaver@gmail.com>
Date: Mon, 31 Jul 2017 12:18:01 +0200
Subject: [PATCH] rsrv: avoid possible overflow in vsend_err()

Accounting of message size doesn't take into account
space used by header of failed message (16 or 24 bytes).
This would allow a theoretical really long error message
to overflow the send buffer by 16 or 24 bytes.
---
 src/rsrv/camessage.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/rsrv/camessage.c b/src/rsrv/camessage.c
index df1ce65b2..160bc2138 100644
--- a/src/rsrv/camessage.c
+++ b/src/rsrv/camessage.c
@@ -216,10 +216,10 @@ va_list                 args
     /*
      * add their context string into the protocol
      */
-    localStatus = epicsVsnprintf ( pMsgString, maxDiagLen, pformat, args );
+    localStatus = epicsVsnprintf ( pMsgString, maxDiagLen - size, pformat, args );
     if ( localStatus >= 1 ) {
         unsigned diagLen = ( unsigned ) localStatus;
-        if ( diagLen < maxDiagLen ) {
+        if ( diagLen < maxDiagLen - size ) {
             size += (ca_uint32_t) (diagLen + 1u);
         }
         else {
@@ -227,7 +227,7 @@ va_list                 args
                 "caserver: vsend_err: epicsVsnprintf detected "
                 "error message truncation, pFormat = \"%s\"\n",
                 pformat );
-            size += maxDiagLen;
+            size = maxDiagLen;
             pMsgString [ maxDiagLen - 1 ] = '\0';
         }
     }