Skip to content

Fix snprintf buffer too small in exec_ddprof()#499

Merged
r1viollet merged 1 commit into
DataDog:mainfrom
algolia:fix/snprintf-buffer-truncation
Mar 4, 2026
Merged

Fix snprintf buffer too small in exec_ddprof()#499
r1viollet merged 1 commit into
DataDog:mainfrom
algolia:fix/snprintf-buffer-truncation

Conversation

@xroche

@xroche xroche commented Feb 27, 2026

Copy link
Copy Markdown
Contributor

What does this PR do?

Fix snprintf buffer sizing in exec_ddprof() (src/lib/dd_profiling.cc).

digits10 returns the number of decimal digits that can round-trip through the type (floor(log10(2^31 - 1)) = 9), not the number of digits in the maximum value. The max pid_t (2,147,483,647) has 10 digits, so the buffer needs digits10 + 2 (max digits + NUL), not digits10 + 1.

With the current size (10 bytes), snprintf silently truncates 10-digit values, potentially passing a wrong PID to execve.

Motivation

Same class of buffer sizing bug as #492 (off-by-one in loader.c), but in the C++ library mode entry point exec_ddprof().

How to test the change?

The bug is currently mitigated by Linux PID limits (max 2^22 = 7 digits), so it doesn't trigger in practice. The fix is a straightforward buffer size correction.

Classification

  • CWE-131: Incorrect Calculation of Buffer Size

Fixes #496

digits10 returns the number of decimal digits that round-trip through
the type (floor(log10(2^31-1)) = 9), not the number of digits in the
max value. The max pid_t (2,147,483,647) has 10 digits, so the buffer
needs digits10 + 2 (max digits + NUL), not digits10 + 1.

With digits10 + 1 (= 10 bytes), snprintf silently truncates 10-digit
values, potentially passing a wrong PID to execve.

Fixes DataDog#496
@xroche
xroche marked this pull request as ready for review February 27, 2026 20:12

@r1viollet r1viollet left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Internal CI is OK on this ✅
Thank you for the fix

@r1viollet
r1viollet merged commit 073b5f1 into DataDog:main Mar 4, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

snprintf buffer too small in exec_ddprof() — PID/fd truncation

2 participants