staging: rtl8723bs: Use scnprintf() for avoiding potential buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200311092451.23933-4-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Takashi Iwai and committed by

Greg Kroah-Hartman 6 years ago 038341dc 39ddadf1

+9 -9

2 changed files

expand all

drivers

staging

rtl8723bs

core

rtw_wlan_util.c

os_dep

ioctl_linux.c

+7 -7

drivers/staging/rtl8723bs/core/rtw_wlan_util.c

··· 326 326 dvobj->on_oper_ch_time = jiffies; 327 327 328 328 #ifdef DBG_CH_SWITCH 329 - cnt += snprintf(msg+cnt, len-cnt, "switch to ch %3u", ch); 329 + cnt += scnprintf(msg+cnt, len-cnt, "switch to ch %3u", ch); 330 330 331 331 for (i = 0; i < dvobj->iface_nums; i++) { 332 332 struct adapter *iface = dvobj->padapters[i]; 333 - cnt += snprintf(msg+cnt, len-cnt, " ["ADPT_FMT":", ADPT_ARG(iface)); 333 + cnt += scnprintf(msg+cnt, len-cnt, " ["ADPT_FMT":", ADPT_ARG(iface)); 334 334 if (iface->mlmeextpriv.cur_channel == ch) 335 - cnt += snprintf(msg+cnt, len-cnt, "C"); 335 + cnt += scnprintf(msg+cnt, len-cnt, "C"); 336 336 else 337 - cnt += snprintf(msg+cnt, len-cnt, "_"); 337 + cnt += scnprintf(msg+cnt, len-cnt, "_"); 338 338 if (iface->wdinfo.listen_channel == ch && !rtw_p2p_chk_state(&iface->wdinfo, P2P_STATE_NONE)) 339 - cnt += snprintf(msg+cnt, len-cnt, "L"); 339 + cnt += scnprintf(msg+cnt, len-cnt, "L"); 340 340 else 341 - cnt += snprintf(msg+cnt, len-cnt, "_"); 342 - cnt += snprintf(msg+cnt, len-cnt, "]"); 341 + cnt += scnprintf(msg+cnt, len-cnt, "_"); 342 + cnt += scnprintf(msg+cnt, len-cnt, "]"); 343 343 } 344 344 345 345 DBG_871X(FUNC_ADPT_FMT" %s\n", FUNC_ADPT_ARG(adapter), msg);

+2 -2

drivers/staging/rtl8723bs/os_dep/ioctl_linux.c

··· 197 197 if (!custom) 198 198 return start; 199 199 p = custom; 200 - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): "); 200 + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): "); 201 201 while (pnetwork->network.SupportedRates[i] != 0) { 202 202 rate = pnetwork->network.SupportedRates[i]&0x7F; 203 203 if (rate > max_rate) 204 204 max_rate = rate; 205 - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), 205 + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), 206 206 "%d%s ", rate >> 1, (rate & 1) ? ".5" : ""); 207 207 i++; 208 208 }