| Message ID | 20200316124941.8010-3-tiwai@suse.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | iio: Use scnprintf() for avoiding potential buffer overflow | expand |
On Mon, Mar 16, 2020 at 01:49:41PM +0100, Takashi Iwai wrote: > snprintf() is a hard-to-use function, it's especially difficult to use > it for concatenating substrings in a buffer with a limited size. > Since snprintf() returns the would-be-output size, not the actual > size, the subsequent use of snprintf() may go beyond the given limit > easily. Although the current code doesn't actually overflow the > buffer, it's an incorrect usage. > > This patch replaces such snprintf() calls with a safer version, > scnprintf(). > > Also this fixes the incorrect argument of the buffer limit size passed > to snprintf(), too. The size has to be decremented for the remaining > length. > > Signed-off-by: Takashi Iwai <tiwai@suse.de> Reviewed-by: Brian Masney <masneyb@onstation.org>
On Mon, 16 Mar 2020 12:20:26 -0400 Brian Masney <masneyb@onstation.org> wrote: > On Mon, Mar 16, 2020 at 01:49:41PM +0100, Takashi Iwai wrote: > > snprintf() is a hard-to-use function, it's especially difficult to use > > it for concatenating substrings in a buffer with a limited size. > > Since snprintf() returns the would-be-output size, not the actual > > size, the subsequent use of snprintf() may go beyond the given limit > > easily. Although the current code doesn't actually overflow the > > buffer, it's an incorrect usage. > > > > This patch replaces such snprintf() calls with a safer version, > > scnprintf(). > > > > Also this fixes the incorrect argument of the buffer limit size passed > > to snprintf(), too. The size has to be decremented for the remaining > > length. > > > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > > Reviewed-by: Brian Masney <masneyb@onstation.org> Applied. Thanks for sorting this out. Jonathan
diff --git a/drivers/iio/light/tsl2772.c b/drivers/iio/light/tsl2772.c index be37fcbd4654..9fbde9b71b63 100644 --- a/drivers/iio/light/tsl2772.c +++ b/drivers/iio/light/tsl2772.c @@ -932,7 +932,7 @@ static ssize_t in_illuminance0_target_input_show(struct device *dev, { struct tsl2772_chip *chip = iio_priv(dev_to_iio_dev(dev)); - return snprintf(buf, PAGE_SIZE, "%d\n", chip->settings.als_cal_target); + return scnprintf(buf, PAGE_SIZE, "%d\n", chip->settings.als_cal_target); } static ssize_t in_illuminance0_target_input_store(struct device *dev, @@ -986,7 +986,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev, int offset = 0; while (i < TSL2772_MAX_LUX_TABLE_SIZE) { - offset += snprintf(buf + offset, PAGE_SIZE, "%u,%u,", + offset += scnprintf(buf + offset, PAGE_SIZE - offset, "%u,%u,", chip->tsl2772_device_lux[i].ch0, chip->tsl2772_device_lux[i].ch1); if (chip->tsl2772_device_lux[i].ch0 == 0) { @@ -1000,7 +1000,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev, i++; } - offset += snprintf(buf + offset, PAGE_SIZE, "\n"); + offset += scnprintf(buf + offset, PAGE_SIZE - offset, "\n"); return offset; }
snprintf() is a hard-to-use function, it's especially difficult to use it for concatenating substrings in a buffer with a limited size. Since snprintf() returns the would-be-output size, not the actual size, the subsequent use of snprintf() may go beyond the given limit easily. Although the current code doesn't actually overflow the buffer, it's an incorrect usage. This patch replaces such snprintf() calls with a safer version, scnprintf(). Also this fixes the incorrect argument of the buffer limit size passed to snprintf(), too. The size has to be decremented for the remaining length. Signed-off-by: Takashi Iwai <tiwai@suse.de> --- v1->v2: Fix the snprintf() buffer limit argument Rephrase the changelog drivers/iio/light/tsl2772.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)