https://bugs.gentoo.org/546928

From 46679bbbe89699016d31486de7599590d02a5054 Mon Sep 17 00:00:00 2001
From: Vadim Kochan <vadim4j@gmail.com>
Date: Mon, 20 Apr 2015 08:33:32 +0300
Subject: [PATCH] tc util: Fix possible buffer overflow when print class id

Use correct handle buffer length.

Signed-off-by: Vadim Kochan <vadim4j@gmail.com>
---
 tc/tc_util.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/tc/tc_util.c b/tc/tc_util.c
index 1d3153d..dc2b70f 100644
--- a/tc/tc_util.c
+++ b/tc/tc_util.c
@@ -128,30 +128,31 @@ ok:
 	return 0;
 }
 
-int print_tc_classid(char *buf, int len, __u32 h)
+int print_tc_classid(char *buf, int blen, __u32 h)
 {
-	char handle[40] = {};
+	SPRINT_BUF(handle) = {};
+	int hlen = SPRINT_BSIZE - 1;
 
 	if (h == TC_H_ROOT)
 		sprintf(handle, "root");
 	else if (h == TC_H_UNSPEC)
-		snprintf(handle, len, "none");
+		snprintf(handle, hlen, "none");
 	else if (TC_H_MAJ(h) == 0)
-		snprintf(handle, len, ":%x", TC_H_MIN(h));
+		snprintf(handle, hlen, ":%x", TC_H_MIN(h));
 	else if (TC_H_MIN(h) == 0)
-		snprintf(handle, len, "%x:", TC_H_MAJ(h) >> 16);
+		snprintf(handle, hlen, "%x:", TC_H_MAJ(h) >> 16);
 	else
-		snprintf(handle, len, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h));
+		snprintf(handle, hlen, "%x:%x", TC_H_MAJ(h) >> 16, TC_H_MIN(h));
 
 	if (use_names) {
 		char clname[IDNAME_MAX] = {};
 
 		if (id_to_name(cls_names, h, clname))
-			snprintf(buf, len, "%s#%s", clname, handle);
+			snprintf(buf, blen, "%s#%s", clname, handle);
 		else
-			snprintf(buf, len, "%s", handle);
+			snprintf(buf, blen, "%s", handle);
 	} else {
-		snprintf(buf, len, "%s", handle);
+		snprintf(buf, blen, "%s", handle);
 	}
 
 	return 0;
-- 
2.3.5