diff mbox series

HID: hid-sensor-custom: Use scnprintf() for avoiding potential buffer overflow

Message ID 20200311073824.7431-1-tiwai@suse.de (mailing list archive)
State Mainlined
Commit 62a1a58039595698f644f560f00105bb4d5f5c7f
Delegated to: Jiri Kosina
Headers show
Series HID: hid-sensor-custom: Use scnprintf() for avoiding potential buffer overflow | expand

Commit Message

Takashi Iwai March 11, 2020, 7:38 a.m. UTC
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/hid/hid-sensor-custom.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

Comments

Jiri Kosina March 11, 2020, 11 a.m. UTC | #1
On Wed, 11 Mar 2020, Takashi Iwai wrote:

> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().

Queued this one in for-5.6/upstream-fixes as well. Thank you Takashi,
diff mbox series

Patch

diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
index fb827c295842..4d25577a8573 100644
--- a/drivers/hid/hid-sensor-custom.c
+++ b/drivers/hid/hid-sensor-custom.c
@@ -313,7 +313,7 @@  static ssize_t show_value(struct device *dev, struct device_attribute *attr,
 
 			while (i < ret) {
 				if (i + attribute->size > ret) {
-					len += snprintf(&buf[len],
+					len += scnprintf(&buf[len],
 							PAGE_SIZE - len,
 							"%d ", values[i]);
 					break;
@@ -336,10 +336,10 @@  static ssize_t show_value(struct device *dev, struct device_attribute *attr,
 					++i;
 					break;
 				}
-				len += snprintf(&buf[len], PAGE_SIZE - len,
+				len += scnprintf(&buf[len], PAGE_SIZE - len,
 						"%lld ", value);
 			}
-			len += snprintf(&buf[len], PAGE_SIZE - len, "\n");
+			len += scnprintf(&buf[len], PAGE_SIZE - len, "\n");
 
 			return len;
 		} else if (input)