From 0dd0e4396a44bc8413470b7421c4e51b70957bff Mon Sep 17 00:00:00 2001 From: Kartikeya Kotkar Date: Fri, 3 Apr 2026 20:10:38 +0530 Subject: [PATCH] Fix format string bugs, specifier mismatches, and missing arguments Fix several format string related bugs: - libbpftune.c: Fix format string vulnerability in bpftune_log_syslog() where syslog() was called with user-controlled buf as the format string. If a log message contained format specifiers like %s or %n, this would cause undefined behavior. Use syslog(level, "%s", buf) instead. - libbpftune.c: Fix missing argument in bpftuner_tunables_init() error message. The format string has three %d/%s specifiers but only two arguments were passed, causing undefined behavior. Add the missing descs[i].name argument. - libbpftune.c: Fix format specifier mismatch where %ld was used for unsigned int variables i and num_descs. Use %u instead. - neigh_table_tuner.c: Fix format specifier mismatch in nl_connect() error path where %d was used to print strerror() return value (char*). Use %s instead. - libbpftune.c: Fix typo 'sucessfully' -> 'successfully' in log message. Signed-off-by: kk --- src/libbpftune.c | 8 ++++---- src/neigh_table_tuner.c | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/libbpftune.c b/src/libbpftune.c index 2983060..402b42a 100644 --- a/src/libbpftune.c +++ b/src/libbpftune.c @@ -101,7 +101,7 @@ void bpftune_log_syslog(__attribute__((unused)) void *ctx, int level, buflen = vsnprintf(buf, sizeof(buf), fmt, args); if (buflen > 0) - syslog(level, buf, buflen + 1); + syslog(level, "%s", buf); } /* log to ctx buffer for specific thread, fall back to usual log destination */ @@ -811,7 +811,7 @@ struct bpftuner *bpftuner_init(const char *path) tuner->id = bpftune_num_tuners; tuner->state = BPFTUNE_ACTIVE; bpftune_tuners[bpftune_num_tuners++] = tuner; - bpftune_log(LOG_DEBUG, "sucessfully initialized tuner %s[%d]\n", + bpftune_log(LOG_DEBUG, "successfully initialized tuner %s[%d]\n", tuner->name, tuner->id); return tuner; } @@ -1391,7 +1391,7 @@ int bpftuner_tunables_init(struct bpftuner *tuner, unsigned int num_descs, for (i = 0; i < num_descs; i++) { int num_values; - bpftune_log(LOG_DEBUG, "handling desc %ld/%ld\n", i, num_descs); + bpftune_log(LOG_DEBUG, "handling desc %u/%u\n", i, num_descs); memcpy(&tuner->tunables[i].desc, &descs[i], sizeof(*descs)); if (descs[i].type != BPFTUNABLE_SYSCTL) @@ -1414,7 +1414,7 @@ int bpftuner_tunables_init(struct bpftuner *tuner, unsigned int num_descs, } if (num_values != descs[i].num_values) { bpftune_log(LOG_ERR, "error reading tunable '%s'; expected %d values, got %d\n", - descs[i].num_values, num_values); + descs[i].name, descs[i].num_values, num_values); return -EINVAL; } if (descs[i].flags & BPFTUNABLE_STRING) { diff --git a/src/neigh_table_tuner.c b/src/neigh_table_tuner.c index 07d8792..b6da30e 100644 --- a/src/neigh_table_tuner.c +++ b/src/neigh_table_tuner.c @@ -198,7 +198,7 @@ static int increase_or_decrease_thresh(struct bpftuner *tuner, } ret = nl_connect(sk, NETLINK_ROUTE); if (ret) { - bpftune_log(LOG_ERR, "nl_connect() failed: %d\n", + bpftune_log(LOG_ERR, "nl_connect() failed: %s\n", strerror(-ret)); goto out; }