diff mbox series

ssb: Use scnprintf() for avoiding potential buffer overflow

Message ID 20200311091739.22635-1-tiwai@suse.de (mailing list archive)
State Accepted
Commit ca44e47a2b8611178d38d4ed9532f793cf4244a8
Delegated to: Kalle Valo
Headers show
Series ssb: Use scnprintf() for avoiding potential buffer overflow | expand

Commit Message

Takashi Iwai March 11, 2020, 9:17 a.m. UTC
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/ssb/sprom.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Kalle Valo March 12, 2020, 1:44 p.m. UTC | #1
Takashi Iwai <tiwai@suse.de> wrote:

> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Signed-off-by: Takashi Iwai <tiwai@suse.de>

Patch applied to wireless-drivers-next.git, thanks.

ca44e47a2b86 ssb: Use scnprintf() for avoiding potential buffer overflow
diff mbox series

Patch

diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c
index 4f028a80d6c4..52d2e0f33be7 100644
--- a/drivers/ssb/sprom.c
+++ b/drivers/ssb/sprom.c
@@ -26,9 +26,9 @@  static int sprom2hex(const u16 *sprom, char *buf, size_t buf_len,
 	int i, pos = 0;
 
 	for (i = 0; i < sprom_size_words; i++)
-		pos += snprintf(buf + pos, buf_len - pos - 1,
+		pos += scnprintf(buf + pos, buf_len - pos - 1,
 				"%04X", swab16(sprom[i]) & 0xFFFF);
-	pos += snprintf(buf + pos, buf_len - pos - 1, "\n");
+	pos += scnprintf(buf + pos, buf_len - pos - 1, "\n");
 
 	return pos + 1;
 }