mirror of
https://github.com/torvalds/linux
synced 2024-09-21 03:28:37 +00:00
net: caif: Use scnprintf() for avoiding potential buffer overflow
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "David S . Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
cb851c01b5
commit
13bde56c5b
|
@ -141,28 +141,28 @@ static ssize_t dbgfs_state(struct file *file, char __user *user_buf,
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Print out debug information. */
|
/* Print out debug information. */
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"CAIF SPI debug information:\n");
|
"CAIF SPI debug information:\n");
|
||||||
|
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
|
||||||
|
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"STATE: %d\n", cfspi->dbg_state);
|
"STATE: %d\n", cfspi->dbg_state);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Previous CMD: 0x%x\n", cfspi->pcmd);
|
"Previous CMD: 0x%x\n", cfspi->pcmd);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Current CMD: 0x%x\n", cfspi->cmd);
|
"Current CMD: 0x%x\n", cfspi->cmd);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Previous TX len: %d\n", cfspi->tx_ppck_len);
|
"Previous TX len: %d\n", cfspi->tx_ppck_len);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Previous RX len: %d\n", cfspi->rx_ppck_len);
|
"Previous RX len: %d\n", cfspi->rx_ppck_len);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Current TX len: %d\n", cfspi->tx_cpck_len);
|
"Current TX len: %d\n", cfspi->tx_cpck_len);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Current RX len: %d\n", cfspi->rx_cpck_len);
|
"Current RX len: %d\n", cfspi->rx_cpck_len);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Next TX len: %d\n", cfspi->tx_npck_len);
|
"Next TX len: %d\n", cfspi->tx_npck_len);
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Next RX len: %d\n", cfspi->rx_npck_len);
|
"Next RX len: %d\n", cfspi->rx_npck_len);
|
||||||
|
|
||||||
if (len > DEBUGFS_BUF_SIZE)
|
if (len > DEBUGFS_BUF_SIZE)
|
||||||
|
@ -180,23 +180,23 @@ static ssize_t print_frame(char *buf, size_t size, char *frm,
|
||||||
int len = 0;
|
int len = 0;
|
||||||
int i;
|
int i;
|
||||||
for (i = 0; i < count; i++) {
|
for (i = 0; i < count; i++) {
|
||||||
len += snprintf((buf + len), (size - len),
|
len += scnprintf((buf + len), (size - len),
|
||||||
"[0x" BYTE_HEX_FMT "]",
|
"[0x" BYTE_HEX_FMT "]",
|
||||||
frm[i]);
|
frm[i]);
|
||||||
if ((i == cut) && (count > (cut * 2))) {
|
if ((i == cut) && (count > (cut * 2))) {
|
||||||
/* Fast forward. */
|
/* Fast forward. */
|
||||||
i = count - cut;
|
i = count - cut;
|
||||||
len += snprintf((buf + len), (size - len),
|
len += scnprintf((buf + len), (size - len),
|
||||||
"--- %zu bytes skipped ---\n",
|
"--- %zu bytes skipped ---\n",
|
||||||
count - (cut * 2));
|
count - (cut * 2));
|
||||||
}
|
}
|
||||||
|
|
||||||
if ((!(i % 10)) && i) {
|
if ((!(i % 10)) && i) {
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"\n");
|
"\n");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
|
||||||
return len;
|
return len;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -214,17 +214,17 @@ static ssize_t dbgfs_frame(struct file *file, char __user *user_buf,
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
/* Print out debug information. */
|
/* Print out debug information. */
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Current frame:\n");
|
"Current frame:\n");
|
||||||
|
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Tx data (Len: %d):\n", cfspi->tx_cpck_len);
|
"Tx data (Len: %d):\n", cfspi->tx_cpck_len);
|
||||||
|
|
||||||
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
cfspi->xfer.va_tx[0],
|
cfspi->xfer.va_tx[0],
|
||||||
(cfspi->tx_cpck_len + SPI_CMD_SZ), 100);
|
(cfspi->tx_cpck_len + SPI_CMD_SZ), 100);
|
||||||
|
|
||||||
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
"Rx data (Len: %d):\n", cfspi->rx_cpck_len);
|
"Rx data (Len: %d):\n", cfspi->rx_cpck_len);
|
||||||
|
|
||||||
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
|
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
|
||||||
|
|
Loading…
Reference in a new issue