system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-21 03:28:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

net: caif: Use scnprintf() for avoiding potential buffer overflow

Browse source 
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Cc: "David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Takashi Iwai 2020-03-15 10:34:58 +01:00 committed by David S. Miller
parent cb851c01b5
commit 13bde56c5b
1 changed files with 34 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
drivers/net/caif/caif_spi.c
View file

@ -141,28 +141,28 @@ static ssize_t dbgfs_state(struct file *file, char __user *user_buf,
return 0; return 0;
/* Print out debug information. */ /* Print out debug information. */
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"CAIF SPI debug information:\n"); "CAIF SPI debug information:\n");
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR); len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"STATE: %d\n", cfspi->dbg_state); "STATE: %d\n", cfspi->dbg_state);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Previous CMD: 0x%x\n", cfspi->pcmd); "Previous CMD: 0x%x\n", cfspi->pcmd);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Current CMD: 0x%x\n", cfspi->cmd); "Current CMD: 0x%x\n", cfspi->cmd);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Previous TX len: %d\n", cfspi->tx_ppck_len); "Previous TX len: %d\n", cfspi->tx_ppck_len);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Previous RX len: %d\n", cfspi->rx_ppck_len); "Previous RX len: %d\n", cfspi->rx_ppck_len);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Current TX len: %d\n", cfspi->tx_cpck_len); "Current TX len: %d\n", cfspi->tx_cpck_len);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Current RX len: %d\n", cfspi->rx_cpck_len); "Current RX len: %d\n", cfspi->rx_cpck_len);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Next TX len: %d\n", cfspi->tx_npck_len); "Next TX len: %d\n", cfspi->tx_npck_len);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Next RX len: %d\n", cfspi->rx_npck_len); "Next RX len: %d\n", cfspi->rx_npck_len);
if (len > DEBUGFS_BUF_SIZE) if (len > DEBUGFS_BUF_SIZE)
@ -180,23 +180,23 @@ static ssize_t print_frame(char *buf, size_t size, char *frm,
int len = 0; int len = 0;
int i; int i;
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
len += snprintf((buf + len), (size - len), len += scnprintf((buf + len), (size - len),
"[0x" BYTE_HEX_FMT "]", "[0x" BYTE_HEX_FMT "]",
frm[i]); frm[i]);
if ((i == cut) && (count > (cut * 2))) { if ((i == cut) && (count > (cut * 2))) {
/* Fast forward. */ /* Fast forward. */
i = count - cut; i = count - cut;
len += snprintf((buf + len), (size - len), len += scnprintf((buf + len), (size - len),
"--- %zu bytes skipped ---\n", "--- %zu bytes skipped ---\n",
count - (cut * 2)); count - (cut * 2));
} }
if ((!(i % 10)) && i) { if ((!(i % 10)) && i) {
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"\n"); "\n");
} }
} }
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n"); len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
return len; return len;
} }
@ -214,17 +214,17 @@ static ssize_t dbgfs_frame(struct file *file, char __user *user_buf,
return 0; return 0;
/* Print out debug information. */ /* Print out debug information. */
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Current frame:\n"); "Current frame:\n");
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Tx data (Len: %d):\n", cfspi->tx_cpck_len); "Tx data (Len: %d):\n", cfspi->tx_cpck_len);
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len), len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
cfspi->xfer.va_tx[0], cfspi->xfer.va_tx[0],
(cfspi->tx_cpck_len + SPI_CMD_SZ), 100); (cfspi->tx_cpck_len + SPI_CMD_SZ), 100);
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
"Rx data (Len: %d):\n", cfspi->rx_cpck_len); "Rx data (Len: %d):\n", cfspi->rx_cpck_len);
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len), len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),