logger: fix off-by-one sscanf width in filter_parse_component_name

jmestwa-coder · jmestwa-coder · commit 0d91e34472d9 · 2026-06-11T10:48:18.000+05:30
filter_parse_component_name() builds the sscanf format string with
field width UUID_NAME_MAX_LEN, but a %N[...] conversion writes up to
N characters plus a NUL terminator. comp_name is only
UUID_NAME_MAX_LEN bytes, so a component name of exactly that length
overflows the stack buffer by one byte.

Cap the scan width at UUID_NAME_MAX_LEN - 1 so the terminator always
fits in comp_name.

Signed-off-by: jmestwa-coder &lt;jmestwa@gmail.com&gt;
diff --git a/tools/logger/filter.c b/tools/logger/filter.c
@@ -104,7 +104,7 @@ static char *filter_parse_component_name(char *input_str, struct filter_element
 	 */
 	if (strlen(scan_format_string) == 0) {
 		ret = snprintf(scan_format_string, sizeof(scan_format_string),
-				"%%%d[^0-9* ]s", UUID_NAME_MAX_LEN);
+				"%%%d[^0-9* ]s", UUID_NAME_MAX_LEN - 1);
 		if (ret <= 0)
 			return NULL;
 	}

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,7 @@ static char filter_parse_component_name(char input_str, struct filter_element`
`104`	`104`	`*/`
`105`	`105`	`if (strlen(scan_format_string) == 0) {`
`106`	`106`	`ret = snprintf(scan_format_string, sizeof(scan_format_string),`
`107`		`- "%%%d[^0-9* ]s", UUID_NAME_MAX_LEN);`
	`107`	`+ "%%%d[^0-9* ]s", UUID_NAME_MAX_LEN - 1);`
`108`	`108`	`if (ret <= 0)`
`109`	`109`	`return NULL;`
`110`	`110`	`}`