Message ID | 20200311091739.22635-1-tiwai@suse.de (mailing list archive) |
---|---|
State | Accepted |
Commit | ca44e47a2b8611178d38d4ed9532f793cf4244a8 |
Delegated to: | Kalle Valo |
Headers | show |
Series | ssb: Use scnprintf() for avoiding potential buffer overflow | expand |
Takashi Iwai <tiwai@suse.de> wrote: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> Patch applied to wireless-drivers-next.git, thanks. ca44e47a2b86 ssb: Use scnprintf() for avoiding potential buffer overflow
diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c index 4f028a80d6c4..52d2e0f33be7 100644 --- a/drivers/ssb/sprom.c +++ b/drivers/ssb/sprom.c @@ -26,9 +26,9 @@ static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len, int i, pos = 0; for (i = 0; i < sprom_size_words; i++) - pos += snprintf(buf + pos, buf_len - pos - 1, + pos += scnprintf(buf + pos, buf_len - pos - 1, "%04X", swab16(sprom[i]) & 0xFFFF); - pos += snprintf(buf + pos, buf_len - pos - 1, "\n"); + pos += scnprintf(buf + pos, buf_len - pos - 1, "\n"); return pos + 1; }
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/ssb/sprom.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)