net: sfc: Use scnprintf() for avoiding potential buffer overflow

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Cc: "David S . Miller" <davem@davemloft.net>
Cc: Edward Cree <ecree@solarflare.com>
Cc: Martin Habets <mhabets@solarflare.com>
Cc: Solarflare linux maintainers <linux-net-drivers@solarflare.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Takashi Iwai and committed by

David S. Miller 6 years ago 5e892880 38e0f746

+18 -14

1 changed file

expand all

drivers

net

ethernet

sfc

mcdi.c

+18 -14

drivers/net/ethernet/sfc/mcdi.c

··· 212 212 * progress on a NIC at any one time. So no need for locking. 213 213 */ 214 214 for (i = 0; i < hdr_len / 4 && bytes < PAGE_SIZE; i++) 215 - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes, 216 - " %08x", le32_to_cpu(hdr[i].u32[0])); 215 + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes, 216 + " %08x", 217 + le32_to_cpu(hdr[i].u32[0])); 217 218 218 219 for (i = 0; i < inlen / 4 && bytes < PAGE_SIZE; i++) 219 - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes, 220 - " %08x", le32_to_cpu(inbuf[i].u32[0])); 220 + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes, 221 + " %08x", 222 + le32_to_cpu(inbuf[i].u32[0])); 221 223 222 224 netif_info(efx, hw, efx->net_dev, "MCDI RPC REQ:%s\n", buf); 223 225 } ··· 304 302 */ 305 303 for (i = 0; i < hdr_len && bytes < PAGE_SIZE; i++) { 306 304 efx->type->mcdi_read_response(efx, &hdr, (i * 4), 4); 307 - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes, 308 - " %08x", le32_to_cpu(hdr.u32[0])); 305 + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes, 306 + " %08x", le32_to_cpu(hdr.u32[0])); 309 307 } 310 308 311 309 for (i = 0; i < data_len && bytes < PAGE_SIZE; i++) { 312 310 efx->type->mcdi_read_response(efx, &hdr, 313 311 mcdi->resp_hdr_len + (i * 4), 4); 314 - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes, 315 - " %08x", le32_to_cpu(hdr.u32[0])); 312 + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes, 313 + " %08x", le32_to_cpu(hdr.u32[0])); 316 314 } 317 315 318 316 netif_info(efx, hw, efx->net_dev, "MCDI RPC RESP:%s\n", buf); ··· 1419 1417 } 1420 1418 1421 1419 ver_words = (__le16 *)MCDI_PTR(outbuf, GET_VERSION_OUT_VERSION); 1422 - offset = snprintf(buf, len, "%u.%u.%u.%u", 1423 - le16_to_cpu(ver_words[0]), le16_to_cpu(ver_words[1]), 1424 - le16_to_cpu(ver_words[2]), le16_to_cpu(ver_words[3])); 1420 + offset = scnprintf(buf, len, "%u.%u.%u.%u", 1421 + le16_to_cpu(ver_words[0]), 1422 + le16_to_cpu(ver_words[1]), 1423 + le16_to_cpu(ver_words[2]), 1424 + le16_to_cpu(ver_words[3])); 1425 1425 1426 1426 /* EF10 may have multiple datapath firmware variants within a 1427 1427 * single version. Report which variants are running. ··· 1431 1427 if (efx_nic_rev(efx) >= EFX_REV_HUNT_A0) { 1432 1428 struct efx_ef10_nic_data *nic_data = efx->nic_data; 1433 1429 1434 - offset += snprintf(buf + offset, len - offset, " rx%x tx%x", 1435 - nic_data->rx_dpcpu_fw_id, 1436 - nic_data->tx_dpcpu_fw_id); 1430 + offset += scnprintf(buf + offset, len - offset, " rx%x tx%x", 1431 + nic_data->rx_dpcpu_fw_id, 1432 + nic_data->tx_dpcpu_fw_id); 1437 1433 1438 1434 /* It's theoretically possible for the string to exceed 31 1439 1435 * characters, though in practice the first three version