Skip to content

Commit 2da222f

Browse files
tiwaidavem330
tiwai
authored and
davem330
committed
net: netdevsim: Use scnprintf() for avoiding potential buffer overflow
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "David S . Miller" <[email protected]> Cc: Jakub Kicinski <[email protected]> Cc: [email protected] Signed-off-by: Takashi Iwai <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 5e89288 commit 2da222f

File tree

1 file changed

+15
-15
lines changed

1 file changed

+15
-15
lines changed

drivers/net/netdevsim/ipsec.c

Lines changed: 15 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -29,28 +29,28 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
2929
return -ENOMEM;
3030

3131
p = buf;
32-
p += snprintf(p, bufsize - (p - buf),
33-
"SA count=%u tx=%u\n",
34-
ipsec->count, ipsec->tx);
32+
p += scnprintf(p, bufsize - (p - buf),
33+
"SA count=%u tx=%u\n",
34+
ipsec->count, ipsec->tx);
3535

3636
for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
3737
struct nsim_sa *sap = &ipsec->sa[i];
3838

3939
if (!sap->used)
4040
continue;
4141

42-
p += snprintf(p, bufsize - (p - buf),
43-
"sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
44-
i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
45-
sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
46-
p += snprintf(p, bufsize - (p - buf),
47-
"sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
48-
i, be32_to_cpu(sap->xs->id.spi),
49-
sap->xs->id.proto, sap->salt, sap->crypt);
50-
p += snprintf(p, bufsize - (p - buf),
51-
"sa[%i] key=0x%08x %08x %08x %08x\n",
52-
i, sap->key[0], sap->key[1],
53-
sap->key[2], sap->key[3]);
42+
p += scnprintf(p, bufsize - (p - buf),
43+
"sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
44+
i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
45+
sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
46+
p += scnprintf(p, bufsize - (p - buf),
47+
"sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
48+
i, be32_to_cpu(sap->xs->id.spi),
49+
sap->xs->id.proto, sap->salt, sap->crypt);
50+
p += scnprintf(p, bufsize - (p - buf),
51+
"sa[%i] key=0x%08x %08x %08x %08x\n",
52+
i, sap->key[0], sap->key[1],
53+
sap->key[2], sap->key[3]);
5454
}
5555

5656
len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);

0 commit comments

Comments
 (0)