| Message ID | 20200311080439.13928-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | mmc: vub300: Use scnprintf() for avoiding potential buffer overflow | expand |
On Wed, 11 Mar 2020 at 09:04, Takashi Iwai <tiwai@suse.de> wrote: > > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> Applied for next, thanks! Kind regards Uffe > --- > drivers/mmc/host/vub300.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c > index 6ced1b7f642f..4008871bc2ec 100644 > --- a/drivers/mmc/host/vub300.c > +++ b/drivers/mmc/host/vub300.c > @@ -1363,7 +1363,7 @@ static void download_offload_pseudocode(struct vub300_mmc_host *vub300) > int retval; > for (n = 0; n < sdio_funcs; n++) { > struct sdio_func *sf = card->sdio_func[n]; > - l += snprintf(vub300->vub_name + l, > + l += scnprintf(vub300->vub_name + l, > sizeof(vub300->vub_name) - l, "_%04X%04X", > sf->vendor, sf->device); > } > -- > 2.16.4 >
diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c index 6ced1b7f642f..4008871bc2ec 100644 --- a/drivers/mmc/host/vub300.c +++ b/drivers/mmc/host/vub300.c @@ -1363,7 +1363,7 @@ static void download_offload_pseudocode(struct vub300_mmc_host *vub300) int retval; for (n = 0; n < sdio_funcs; n++) { struct sdio_func *sf = card->sdio_func[n]; - l += snprintf(vub300->vub_name + l, + l += scnprintf(vub300->vub_name + l, sizeof(vub300->vub_name) - l, "_%04X%04X", sf->vendor, sf->device); }
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/mmc/host/vub300.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)