Skip to content

Commit 13bde56

Browse files
tiwaidavem330
tiwai
authored and
davem330
committed
net: caif: Use scnprintf() for avoiding potential buffer overflow
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "David S . Miller" <[email protected]> Cc: [email protected] Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent cb851c0 commit 13bde56

File tree

1 file changed

+36
-36
lines changed

1 file changed

+36
-36
lines changed

drivers/net/caif/caif_spi.c

Lines changed: 36 additions & 36 deletions
Original file line numberDiff line numberDiff line change
@@ -141,29 +141,29 @@ static ssize_t dbgfs_state(struct file *file, char __user *user_buf,
141141
return 0;
142142

143143
/* Print out debug information. */
144-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
145-
"CAIF SPI debug information:\n");
146-
147-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
148-
149-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
150-
"STATE: %d\n", cfspi->dbg_state);
151-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
152-
"Previous CMD: 0x%x\n", cfspi->pcmd);
153-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
154-
"Current CMD: 0x%x\n", cfspi->cmd);
155-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
156-
"Previous TX len: %d\n", cfspi->tx_ppck_len);
157-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
158-
"Previous RX len: %d\n", cfspi->rx_ppck_len);
159-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
160-
"Current TX len: %d\n", cfspi->tx_cpck_len);
161-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
162-
"Current RX len: %d\n", cfspi->rx_cpck_len);
163-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
164-
"Next TX len: %d\n", cfspi->tx_npck_len);
165-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
166-
"Next RX len: %d\n", cfspi->rx_npck_len);
144+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
145+
"CAIF SPI debug information:\n");
146+
147+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
148+
149+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
150+
"STATE: %d\n", cfspi->dbg_state);
151+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
152+
"Previous CMD: 0x%x\n", cfspi->pcmd);
153+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
154+
"Current CMD: 0x%x\n", cfspi->cmd);
155+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
156+
"Previous TX len: %d\n", cfspi->tx_ppck_len);
157+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
158+
"Previous RX len: %d\n", cfspi->rx_ppck_len);
159+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
160+
"Current TX len: %d\n", cfspi->tx_cpck_len);
161+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
162+
"Current RX len: %d\n", cfspi->rx_cpck_len);
163+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
164+
"Next TX len: %d\n", cfspi->tx_npck_len);
165+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
166+
"Next RX len: %d\n", cfspi->rx_npck_len);
167167

168168
if (len > DEBUGFS_BUF_SIZE)
169169
len = DEBUGFS_BUF_SIZE;
@@ -180,23 +180,23 @@ static ssize_t print_frame(char *buf, size_t size, char *frm,
180180
int len = 0;
181181
int i;
182182
for (i = 0; i < count; i++) {
183-
len += snprintf((buf + len), (size - len),
183+
len += scnprintf((buf + len), (size - len),
184184
"[0x" BYTE_HEX_FMT "]",
185185
frm[i]);
186186
if ((i == cut) && (count > (cut * 2))) {
187187
/* Fast forward. */
188188
i = count - cut;
189-
len += snprintf((buf + len), (size - len),
190-
"--- %zu bytes skipped ---\n",
191-
count - (cut * 2));
189+
len += scnprintf((buf + len), (size - len),
190+
"--- %zu bytes skipped ---\n",
191+
count - (cut * 2));
192192
}
193193

194194
if ((!(i % 10)) && i) {
195-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
196-
"\n");
195+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
196+
"\n");
197197
}
198198
}
199-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
199+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
200200
return len;
201201
}
202202

@@ -214,18 +214,18 @@ static ssize_t dbgfs_frame(struct file *file, char __user *user_buf,
214214
return 0;
215215

216216
/* Print out debug information. */
217-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
218-
"Current frame:\n");
217+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
218+
"Current frame:\n");
219219

220-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
221-
"Tx data (Len: %d):\n", cfspi->tx_cpck_len);
220+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
221+
"Tx data (Len: %d):\n", cfspi->tx_cpck_len);
222222

223223
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
224224
cfspi->xfer.va_tx[0],
225225
(cfspi->tx_cpck_len + SPI_CMD_SZ), 100);
226226

227-
len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
228-
"Rx data (Len: %d):\n", cfspi->rx_cpck_len);
227+
len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
228+
"Rx data (Len: %d):\n", cfspi->rx_cpck_len);
229229

230230
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
231231
cfspi->xfer.va_rx,

0 commit comments

Comments
 (0)