tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

libata: transport: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Takashi Iwai and committed by
Jens Axboe a900cc5c 2c523b34

+5 -5
+5 -5
drivers/ata/libata-transport.c
··· 208 208 { \ 209 209 struct ata_port *ap = transport_class_to_port(dev); \ 210 210 \ 211 - return snprintf(buf, 20, format_string, cast ap->field); \ 211 + return scnprintf(buf, 20, format_string, cast ap->field); \ 212 212 } 213 213 214 214 #define ata_port_simple_attr(field, name, format_string, type) \ ··· 479 479 { \ 480 480 struct ata_device *ata_dev = transport_class_to_dev(dev); \ 481 481 \ 482 - return snprintf(buf, 20, format_string, cast ata_dev->field); \ 482 + return scnprintf(buf, 20, format_string, cast ata_dev->field); \ 483 483 } 484 484 485 485 #define ata_dev_simple_attr(field, format_string, type) \ ··· 533 533 if (ata_dev->class == ATA_DEV_PMP) 534 534 return 0; 535 535 for(i=0;i<ATA_ID_WORDS;i++) { 536 - written += snprintf(buf+written, 20, "%04x%c", 536 + written += scnprintf(buf+written, 20, "%04x%c", 537 537 ata_dev->id[i], 538 538 ((i+1) & 7) ? ' ' : '\n'); 539 539 } ··· 552 552 if (ata_dev->class != ATA_DEV_PMP) 553 553 return 0; 554 554 for(i=0;i<SATA_PMP_GSCR_DWORDS;i++) { 555 - written += snprintf(buf+written, 20, "%08x%c", 555 + written += scnprintf(buf+written, 20, "%08x%c", 556 556 ata_dev->gscr[i], 557 557 ((i+1) & 3) ? ' ' : '\n'); 558 558 } ··· 581 581 else 582 582 mode = "unqueued"; 583 583 584 - return snprintf(buf, 20, "%s\n", mode); 584 + return scnprintf(buf, 20, "%s\n", mode); 585 585 } 586 586 587 587 static DEVICE_ATTR(trim, S_IRUGO, show_ata_dev_trim, NULL);