| Message ID | 20200311074706.8624-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | media: rc: Use scnprintf() for avoiding potential buffer overflow | expand |
On Wed, 11 Mar 2020 08:47:06 +0100, Takashi Iwai wrote: > > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> A gentle reminder for this forgotten patch. Let me know if any further changes are needed. thanks, Takashi > --- > drivers/media/rc/nuvoton-cir.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/media/rc/nuvoton-cir.c b/drivers/media/rc/nuvoton-cir.c > index 5c2cd8d2d155..48a69bf23236 100644 > --- a/drivers/media/rc/nuvoton-cir.c > +++ b/drivers/media/rc/nuvoton-cir.c > @@ -230,10 +230,10 @@ static ssize_t wakeup_data_show(struct device *dev, > for (i = 0; i < fifo_len; i++) { > duration = nvt_cir_wake_reg_read(nvt, CIR_WAKE_RD_FIFO_ONLY); > duration = (duration & BUF_LEN_MASK) * SAMPLE_PERIOD; > - buf_len += snprintf(buf + buf_len, PAGE_SIZE - buf_len, > + buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, > "%d ", duration); > } > - buf_len += snprintf(buf + buf_len, PAGE_SIZE - buf_len, "\n"); > + buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, "\n"); > > spin_unlock_irqrestore(&nvt->lock, flags); > > -- > 2.16.4 >
On Thu, Mar 19, 2020 at 04:57:42PM +0100, Takashi Iwai wrote: > On Wed, 11 Mar 2020 08:47:06 +0100, > Takashi Iwai wrote: > > > > Since snprintf() returns the would-be-output size instead of the > > actual output size, the succeeding calls may go beyond the given > > buffer limit. Fix it by replacing with scnprintf(). > > > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > A gentle reminder for this forgotten patch. > Let me know if any further changes are needed. Thank you for your reminder. The changes look good, unfortunately they missed the deadline for v5.7. I handle them after the next merge window. Thanks, Sean > > > thanks, > > Takashi > > > --- > > drivers/media/rc/nuvoton-cir.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/media/rc/nuvoton-cir.c b/drivers/media/rc/nuvoton-cir.c > > index 5c2cd8d2d155..48a69bf23236 100644 > > --- a/drivers/media/rc/nuvoton-cir.c > > +++ b/drivers/media/rc/nuvoton-cir.c > > @@ -230,10 +230,10 @@ static ssize_t wakeup_data_show(struct device *dev, > > for (i = 0; i < fifo_len; i++) { > > duration = nvt_cir_wake_reg_read(nvt, CIR_WAKE_RD_FIFO_ONLY); > > duration = (duration & BUF_LEN_MASK) * SAMPLE_PERIOD; > > - buf_len += snprintf(buf + buf_len, PAGE_SIZE - buf_len, > > + buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, > > "%d ", duration); > > } > > - buf_len += snprintf(buf + buf_len, PAGE_SIZE - buf_len, "\n"); > > + buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, "\n"); > > > > spin_unlock_irqrestore(&nvt->lock, flags); > > > > -- > > 2.16.4 > >
diff --git a/drivers/media/rc/nuvoton-cir.c b/drivers/media/rc/nuvoton-cir.c index 5c2cd8d2d155..48a69bf23236 100644 --- a/drivers/media/rc/nuvoton-cir.c +++ b/drivers/media/rc/nuvoton-cir.c @@ -230,10 +230,10 @@ static ssize_t wakeup_data_show(struct device *dev, for (i = 0; i < fifo_len; i++) { duration = nvt_cir_wake_reg_read(nvt, CIR_WAKE_RD_FIFO_ONLY); duration = (duration & BUF_LEN_MASK) * SAMPLE_PERIOD; - buf_len += snprintf(buf + buf_len, PAGE_SIZE - buf_len, + buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, "%d ", duration); } - buf_len += snprintf(buf + buf_len, PAGE_SIZE - buf_len, "\n"); + buf_len += scnprintf(buf + buf_len, PAGE_SIZE - buf_len, "\n"); spin_unlock_irqrestore(&nvt->lock, flags);
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/media/rc/nuvoton-cir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)