Fix memory corruption in mkstr caused by integer overflow

nook24 · nook24 · commit bd1acd536aaa · 2026-03-16T14:43:45.000+01:00
The static 'slot' variable in mkstr() was previously a signed 32-bit
integer. On high-load systems (e.g., during status data dumps), this
counter could overflow, becoming negative.

In C, a negative dividend with the modulo operator (slot % 256) results
in a negative index. This caused the 'ret' pointer to point to memory
addresses BEFORE the actual buffer. In our case, this led to a SIGSEGV
because a timestamp string was written directly over the 'contact_list'
pointer, which happened to be located in that memory region.

Changes:
- Changed 'slot' from signed int to unsigned int (uint) to ensure
  the modulo result is always positive and within buffer bounds.
- This ensures that upon reaching UINT_MAX, the counter wraps
  safely back to zero.

Signed-off-by: nook24 &lt;d.ziegler@avendis.com&gt;
diff --git a/lib/nsutils.c b/lib/nsutils.c
@@ -89,7 +89,7 @@ int str2timeval(char *str, struct timeval *tv)
 const char *mkstr(const char *fmt, ...)
 {
 	static char buf[MKSTR_BUFS][32]; /* 8k statically on the stack */
-	static int slot = 0;
+	static unsigned slot = 0;
 	char *ret;
 
 	va_list ap;

Original file line number	Diff line number	Diff line change
`@@ -89,7 +89,7 @@ int str2timeval(char str, struct timeval tv)`
`89`	`89`	`const char mkstr(const char fmt, ...)`
`90`	`90`	`{`
`91`	`91`	`static char buf[MKSTR_BUFS][32]; /* 8k statically on the stack */`
`92`		`- static int slot = 0;`
	`92`	`+ static unsigned slot = 0;`
`93`	`93`	`char *ret;`
`94`	`94`
`95`	`95`	`va_list ap;`