net: netdevsim: Use scnprintf() for avoiding potential buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Cc: "David S . Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Takashi Iwai and committed by

David S. Miller 6 years ago 2da222f6 5e892880

+15 -15

1 changed file

expand all

drivers

net

netdevsim

ipsec.c

+15 -15

drivers/net/netdevsim/ipsec.c

··· 29 29 return -ENOMEM; 30 30 31 31 p = buf; 32 - p += snprintf(p, bufsize - (p - buf), 33 - "SA count=%u tx=%u\n", 34 - ipsec->count, ipsec->tx); 32 + p += scnprintf(p, bufsize - (p - buf), 33 + "SA count=%u tx=%u\n", 34 + ipsec->count, ipsec->tx); 35 35 36 36 for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) { 37 37 struct nsim_sa *sap = &ipsec->sa[i]; ··· 39 39 if (!sap->used) 40 40 continue; 41 41 42 - p += snprintf(p, bufsize - (p - buf), 43 - "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n", 44 - i, (sap->rx ? 'r' : 't'), sap->ipaddr[0], 45 - sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]); 46 - p += snprintf(p, bufsize - (p - buf), 47 - "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n", 48 - i, be32_to_cpu(sap->xs->id.spi), 49 - sap->xs->id.proto, sap->salt, sap->crypt); 50 - p += snprintf(p, bufsize - (p - buf), 51 - "sa[%i] key=0x%08x %08x %08x %08x\n", 52 - i, sap->key[0], sap->key[1], 53 - sap->key[2], sap->key[3]); 42 + p += scnprintf(p, bufsize - (p - buf), 43 + "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n", 44 + i, (sap->rx ? 'r' : 't'), sap->ipaddr[0], 45 + sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]); 46 + p += scnprintf(p, bufsize - (p - buf), 47 + "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n", 48 + i, be32_to_cpu(sap->xs->id.spi), 49 + sap->xs->id.proto, sap->salt, sap->crypt); 50 + p += scnprintf(p, bufsize - (p - buf), 51 + "sa[%i] key=0x%08x %08x %08x %08x\n", 52 + i, sap->key[0], sap->key[1], 53 + sap->key[2], sap->key[3]); 54 54 } 55 55 56 56 len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);