| Message ID | 20200311070851.3731-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | Mainlined, archived |
| Headers | show |
| Series | ACPI: fan: Use scnprintf() for avoiding potential buffer overflow | expand |
On Wednesday, March 11, 2020 8:08:51 AM CET Takashi Iwai wrote: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Also adjust the argument to really match with the actually remaining > buffer size. > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > drivers/acpi/fan.c | 20 ++++++++++---------- > 1 file changed, 10 insertions(+), 10 deletions(-) > > diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c > index aaf4e8f348cf..873e039ad4b7 100644 > --- a/drivers/acpi/fan.c > +++ b/drivers/acpi/fan.c > @@ -276,29 +276,29 @@ static ssize_t show_state(struct device *dev, struct device_attribute *attr, cha > int count; > > if (fps->control == 0xFFFFFFFF || fps->control > 100) > - count = snprintf(buf, PAGE_SIZE, "not-defined:"); > + count = scnprintf(buf, PAGE_SIZE, "not-defined:"); > else > - count = snprintf(buf, PAGE_SIZE, "%lld:", fps->control); > + count = scnprintf(buf, PAGE_SIZE, "%lld:", fps->control); > > if (fps->trip_point == 0xFFFFFFFF || fps->trip_point > 9) > - count += snprintf(&buf[count], PAGE_SIZE, "not-defined:"); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:"); > else > - count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->trip_point); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->trip_point); > > if (fps->speed == 0xFFFFFFFF) > - count += snprintf(&buf[count], PAGE_SIZE, "not-defined:"); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:"); > else > - count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->speed); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->speed); > > if (fps->noise_level == 0xFFFFFFFF) > - count += snprintf(&buf[count], PAGE_SIZE, "not-defined:"); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:"); > else > - count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->noise_level * 100); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->noise_level * 100); > > if (fps->power == 0xFFFFFFFF) > - count += snprintf(&buf[count], PAGE_SIZE, "not-defined\n"); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined\n"); > else > - count += snprintf(&buf[count], PAGE_SIZE, "%lld\n", fps->power); > + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld\n", fps->power); > > return count; > } > Applied as 5.7 material, thanks!
diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c index aaf4e8f348cf..873e039ad4b7 100644 --- a/drivers/acpi/fan.c +++ b/drivers/acpi/fan.c @@ -276,29 +276,29 @@ static ssize_t show_state(struct device *dev, struct device_attribute *attr, cha int count; if (fps->control == 0xFFFFFFFF || fps->control > 100) - count = snprintf(buf, PAGE_SIZE, "not-defined:"); + count = scnprintf(buf, PAGE_SIZE, "not-defined:"); else - count = snprintf(buf, PAGE_SIZE, "%lld:", fps->control); + count = scnprintf(buf, PAGE_SIZE, "%lld:", fps->control); if (fps->trip_point == 0xFFFFFFFF || fps->trip_point > 9) - count += snprintf(&buf[count], PAGE_SIZE, "not-defined:"); + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:"); else - count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->trip_point); + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->trip_point); if (fps->speed == 0xFFFFFFFF) - count += snprintf(&buf[count], PAGE_SIZE, "not-defined:"); + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:"); else - count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->speed); + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->speed); if (fps->noise_level == 0xFFFFFFFF) - count += snprintf(&buf[count], PAGE_SIZE, "not-defined:"); + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:"); else - count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->noise_level * 100); + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->noise_level * 100); if (fps->power == 0xFFFFFFFF) - count += snprintf(&buf[count], PAGE_SIZE, "not-defined\n"); + count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined\n"); else - count += snprintf(&buf[count], PAGE_SIZE, "%lld\n", fps->power); + count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld\n", fps->power); return count; }
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Also adjust the argument to really match with the actually remaining buffer size. Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/acpi/fan.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-)