tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tty: nozomi: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Also rewrite the code in a standard if-form instead of ugly
conditional operators.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200311092905.24362-1-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

authored by

Takashi Iwai and committed by
Greg Kroah-Hartman caa47cc6 e39c0ffe

+28 -29
+28 -29
drivers/tty/nozomi.c
··· 839 839 static char buf[TMP_BUF_MAX]; 840 840 char *p = buf; 841 841 842 - interrupt & MDM_DL1 ? p += snprintf(p, TMP_BUF_MAX, "MDM_DL1 ") : NULL; 843 - interrupt & MDM_DL2 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 844 - "MDM_DL2 ") : NULL; 842 + if (interrupt & MDM_DL1) 843 + p += scnprintf(p, TMP_BUF_MAX, "MDM_DL1 "); 844 + if (interrupt & MDM_DL2) 845 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "MDM_DL2 "); 846 + if (interrupt & MDM_UL1) 847 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "MDM_UL1 "); 848 + if (interrupt & MDM_UL2) 849 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "MDM_UL2 "); 850 + if (interrupt & DIAG_DL1) 851 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "DIAG_DL1 "); 852 + if (interrupt & DIAG_DL2) 853 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "DIAG_DL2 "); 845 854 846 - interrupt & MDM_UL1 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 847 - "MDM_UL1 ") : NULL; 848 - interrupt & MDM_UL2 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 849 - "MDM_UL2 ") : NULL; 855 + if (interrupt & DIAG_UL) 856 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "DIAG_UL "); 850 857 851 - interrupt & DIAG_DL1 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 852 - "DIAG_DL1 ") : NULL; 853 - interrupt & DIAG_DL2 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 854 - "DIAG_DL2 ") : NULL; 858 + if (interrupt & APP1_DL) 859 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP1_DL "); 860 + if (interrupt & APP2_DL) 861 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP2_DL "); 855 862 856 - interrupt & DIAG_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 857 - "DIAG_UL ") : NULL; 863 + if (interrupt & APP1_UL) 864 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP1_UL "); 865 + if (interrupt & APP2_UL) 866 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP2_UL "); 858 867 859 - interrupt & APP1_DL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 860 - "APP1_DL ") : NULL; 861 - interrupt & APP2_DL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 862 - "APP2_DL ") : NULL; 868 + if (interrupt & CTRL_DL) 869 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "CTRL_DL "); 870 + if (interrupt & CTRL_UL) 871 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "CTRL_UL "); 863 872 864 - interrupt & APP1_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 865 - "APP1_UL ") : NULL; 866 - interrupt & APP2_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 867 - "APP2_UL ") : NULL; 868 - 869 - interrupt & CTRL_DL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 870 - "CTRL_DL ") : NULL; 871 - interrupt & CTRL_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 872 - "CTRL_UL ") : NULL; 873 - 874 - interrupt & RESET ? p += snprintf(p, TMP_BUF_MAX - (p - buf), 875 - "RESET ") : NULL; 873 + if (interrupt & RESET) 874 + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "RESET "); 876 875 877 876 return buf; 878 877 }