Fix memory corruption in mkstr caused by integer overflow

nook24 · nook24 · commit c25d5d3118f9 · 2026-03-17T10:47:16.000+01:00
The static 'slot' variable in mkstr() was previously a signed 32-bit
integer. On high-load systems (e.g., during status data dumps), this
counter could overflow, becoming negative.

In C, a negative dividend with the modulo operator (slot % 256) results
in a negative index. This caused the 'ret' pointer to point to memory
addresses BEFORE the actual buffer. In our case, this led to a SIGSEGV
because a timestamp string was written directly over the 'contact_list'
pointer, which happened to be located in that memory region.

Changes:
- Changed 'slot' from signed int to unsigned int (uint) to ensure
  the modulo result is always positive and within buffer bounds.
- This ensures that upon reaching UINT_MAX, the counter wraps
  safely back to zero.

Signed-off-by: nook24 &lt;d.ziegler@avendis.com&gt;
diff --git a/NEWS b/NEWS
@@ -5,6 +5,9 @@ Breaking changes:
 Features:
 * new attribute 'check_timeout' on `host` and `service` structs, overrides the global host / service check timeouts. (#525)
 
+Bugfixes:
+* fix memory corruption in `mkstr` caused by integer overflow (#527)
+
 1.5.0 - Feb 03 2026
 ===================
 Breaking changes:
diff --git a/lib/nsutils.c b/lib/nsutils.c
@@ -94,7 +94,7 @@ int str2timeval(char *str, struct timeval *tv)
 const char *mkstr(const char *fmt, ...)
 {
 	static char buf[MKSTR_BUFS][32]; /* 8k statically on the stack */
-	static int slot = 0;
+	static unsigned int slot = 0;
 	char *ret;
 
 	va_list ap;

Original file line number	Diff line number	Diff line change
`@@ -94,7 +94,7 @@ int str2timeval(char str, struct timeval tv)`
`94`	`94`	`const char mkstr(const char fmt, ...)`
`95`	`95`	`{`
`96`	`96`	`static char buf[MKSTR_BUFS][32]; /* 8k statically on the stack */`
`97`		`- static int slot = 0;`
	`97`	`+ static unsigned int slot = 0;`
`98`	`98`	`char *ret;`
`99`	`99`
`100`	`100`	`va_list ap;`