USB: mon: Use scnprintf() for avoiding potential buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200311093003.24604-1-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Takashi Iwai and committed by

Greg Kroah-Hartman 6 years ago 0de005d0 8e567ed9

+18 -18

1 changed file

expand all

drivers

usb

mon

mon_text.c

+18 -18

drivers/usb/mon/mon_text.c

··· 414 414 415 415 mon_text_read_head_t(rp, &ptr, ep); 416 416 mon_text_read_statset(rp, &ptr, ep); 417 - ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, 417 + ptr.cnt += scnprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, 418 418 " %d", ep->length); 419 419 mon_text_read_data(rp, &ptr, ep); 420 420 ··· 462 462 } else { 463 463 mon_text_read_statset(rp, &ptr, ep); 464 464 } 465 - ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, 465 + ptr.cnt += scnprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, 466 466 " %d", ep->length); 467 467 mon_text_read_data(rp, &ptr, ep); 468 468 ··· 520 520 case USB_ENDPOINT_XFER_CONTROL: utype = 'C'; break; 521 521 default: /* PIPE_BULK */ utype = 'B'; 522 522 } 523 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 523 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 524 524 "%lx %u %c %c%c:%03u:%02u", 525 525 ep->id, ep->tstamp, ep->type, 526 526 utype, udir, ep->devnum, ep->epnum); ··· 538 538 case USB_ENDPOINT_XFER_CONTROL: utype = 'C'; break; 539 539 default: /* PIPE_BULK */ utype = 'B'; 540 540 } 541 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 541 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 542 542 "%lx %u %c %c%c:%d:%03u:%u", 543 543 ep->id, ep->tstamp, ep->type, 544 544 utype, udir, ep->busnum, ep->devnum, ep->epnum); ··· 549 549 { 550 550 551 551 if (ep->setup_flag == 0) { /* Setup packet is present and captured */ 552 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 552 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 553 553 " s %02x %02x %04x %04x %04x", 554 554 ep->setup[0], 555 555 ep->setup[1], ··· 557 557 (ep->setup[5] << 8) | ep->setup[4], 558 558 (ep->setup[7] << 8) | ep->setup[6]); 559 559 } else if (ep->setup_flag != '-') { /* Unable to capture setup packet */ 560 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 560 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 561 561 " %c __ __ ____ ____ ____", ep->setup_flag); 562 562 } else { /* No setup for this kind of URB */ 563 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 563 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 564 564 " %d", ep->status); 565 565 } 566 566 } ··· 568 568 static void mon_text_read_intstat(struct mon_reader_text *rp, 569 569 struct mon_text_ptr *p, const struct mon_event_text *ep) 570 570 { 571 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 571 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 572 572 " %d:%d", ep->status, ep->interval); 573 573 } 574 574 ··· 576 576 struct mon_text_ptr *p, const struct mon_event_text *ep) 577 577 { 578 578 if (ep->type == 'S') { 579 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 579 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 580 580 " %d:%d:%d", ep->status, ep->interval, ep->start_frame); 581 581 } else { 582 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 582 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 583 583 " %d:%d:%d:%d", 584 584 ep->status, ep->interval, ep->start_frame, ep->error_count); 585 585 } ··· 592 592 int i; 593 593 const struct mon_iso_desc *dp; 594 594 595 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 595 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 596 596 " %d", ep->numdesc); 597 597 ndesc = ep->numdesc; 598 598 if (ndesc > ISODESC_MAX) ··· 601 601 ndesc = 0; 602 602 dp = ep->isodesc; 603 603 for (i = 0; i < ndesc; i++) { 604 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 604 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 605 605 " %d:%u:%u", dp->status, dp->offset, dp->length); 606 606 dp++; 607 607 } ··· 614 614 615 615 if ((data_len = ep->length) > 0) { 616 616 if (ep->data_flag == 0) { 617 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 617 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 618 618 " ="); 619 619 if (data_len >= DATA_MAX) 620 620 data_len = DATA_MAX; 621 621 for (i = 0; i < data_len; i++) { 622 622 if (i % 4 == 0) { 623 - p->cnt += snprintf(p->pbuf + p->cnt, 623 + p->cnt += scnprintf(p->pbuf + p->cnt, 624 624 p->limit - p->cnt, 625 625 " "); 626 626 } 627 - p->cnt += snprintf(p->pbuf + p->cnt, 627 + p->cnt += scnprintf(p->pbuf + p->cnt, 628 628 p->limit - p->cnt, 629 629 "%02x", ep->data[i]); 630 630 } 631 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 631 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 632 632 "\n"); 633 633 } else { 634 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, 634 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, 635 635 " %c\n", ep->data_flag); 636 636 } 637 637 } else { 638 - p->cnt += snprintf(p->pbuf + p->cnt, p->limit - p->cnt, "\n"); 638 + p->cnt += scnprintf(p->pbuf + p->cnt, p->limit - p->cnt, "\n"); 639 639 } 640 640 } 641 641