Buffer overflow in SingleRateThreeColorMeter.cc

[dragos-bth]

There are actually two issues occurring in /inet/src/inet/networklayer/diffserv/SingleRateThreeColorMeter.cc. First, the use of deprecated sprintf() calls will be flagged as a problem by clang on MacOS Tahoe 26.1. Secondly, a statement such as sprintf(buf + strlen(buf), "rcvd: %d ", numRcvd);will attempt to write an int (I assume 4 bytes) past the end of buf.

Converting all three sprint() calls to snprintf(), such snprintf(buf, strlen(buf), "rcvd: %d ", numRcvd); should fix both problems.

void SingleRateThreeColorMeter::refreshDisplay() const
{
    char buf[80] = "";
    if (numRcvd > 0)
        sprintf(buf + strlen(buf), "rcvd: %d ", numRcvd);
    if (numYellow > 0)
        sprintf(buf + strlen(buf), "yellow:%d ", numYellow);
    if (numRed > 0)
        sprintf(buf + strlen(buf), "red:%d ", numRed);
    getDisplayString().setTagArg("t", 0, buf);
}

[aarizaq]

Be careful, with this snprintf(buf, strlen(buf), "rcvd: %d ", numRcvd); , the code will never print, strlen(buf) initially is 0

I suppose that it is something like this that you want
char buf[80] = "";
if (numRcvd > 0)
snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf), "rcvd: %d ", numRcvd);
if (numYellow > 0)
snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),"yellow:%d ", numYellow);
if (numRed > 0)
snprintf(buf + strlen(buf), sizeof(buf) - strlen(buf),"red:%d ", numRed);
getDisplayString().setTagArg("t", 0, buf);