[PATCH] misc: mic: Use scnprintf() for avoiding potential buffer overflow

From: Takashi Iwai
Date: Wed Mar 11 2020 - 03:49:25 EST

Next message: Michael Walle: "[PATCH v2 0/4] arm64: dts: ls1028a: various sl28 fixes/updates"
Previous message: Tero Kristo: "Re: [PATCHv2 1/4] dt-bindings: watchdog: Add support for TI K3 RTI watchdog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
drivers/misc/mic/host/mic_x100.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/mic/host/mic_x100.c b/drivers/misc/mic/host/mic_x100.c
index a7743312da9c..d18cda966912 100644
--- a/drivers/misc/mic/host/mic_x100.c
+++ b/drivers/misc/mic/host/mic_x100.c
@@ -350,10 +350,10 @@ mic_x100_load_command_line(struct mic_device *mdev, const struct firmware *fw)
if (!buf)
return -ENOMEM;

- len += snprintf(buf, CMDLINE_SIZE - len,
+ len += scnprintf(buf, CMDLINE_SIZE - len,
" mem=%dM", boot_mem);
if (mdev->cosm_dev->cmdline)
- snprintf(buf + len, CMDLINE_SIZE - len, " %s",
+ scnprintf(buf + len, CMDLINE_SIZE - len, " %s",
mdev->cosm_dev->cmdline);
memcpy_toio(cmd_line_va, buf, strlen(buf) + 1);
kfree(buf);
--
2.16.4

Next message: Michael Walle: "[PATCH v2 0/4] arm64: dts: ls1028a: various sl28 fixes/updates"
Previous message: Tero Kristo: "Re: [PATCHv2 1/4] dt-bindings: watchdog: Add support for TI K3 RTI watchdog"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]