The functions snprintf() and vsnprintf() do not write more than size bytes (including the terminating null byte ('\0')). If the output was truncated due to this limit then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available. Thus, a return value of size or more means that the output was truncated. (See also below under NOTES.)
POC
payload
原因
根据
vsnrpintf
的返回值不一定小于传入的size
大小,当发送如上的http请求时,n的值为35,m的值为1979,导致越界访问了m_buf
,造成crash
。