mac80211: fix some snprintf misuses · tjh.dev/kernel@f364ef9

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

mac80211: fix some snprintf misuses

In some debugfs related functions snprintf was used
while scnprintf should have been used instead.

(blindly adding the return value of snprintf and supplying
it to the next snprintf might result in buffer overflow when
the input is too big)

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

authored by

Eliad Peller and committed by

Johannes Berg 12 years ago f364ef99 ee4bc9e7

+54 -49

3 changed files

expand all

net

mac80211

debugfs.c

rc80211_pid_debugfs.c

wireless

debugfs.c

+29 -26

net/mac80211/debugfs.c

··· 103 103 if (!buf) 104 104 return 0; 105 105 106 - sf += snprintf(buf, mxln - sf, "0x%x\n", local->hw.flags); 106 + sf += scnprintf(buf, mxln - sf, "0x%x\n", local->hw.flags); 107 107 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) 108 - sf += snprintf(buf + sf, mxln - sf, "HAS_RATE_CONTROL\n"); 108 + sf += scnprintf(buf + sf, mxln - sf, "HAS_RATE_CONTROL\n"); 109 109 if (local->hw.flags & IEEE80211_HW_RX_INCLUDES_FCS) 110 - sf += snprintf(buf + sf, mxln - sf, "RX_INCLUDES_FCS\n"); 110 + sf += scnprintf(buf + sf, mxln - sf, "RX_INCLUDES_FCS\n"); 111 111 if (local->hw.flags & IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING) 112 - sf += snprintf(buf + sf, mxln - sf, 113 - "HOST_BCAST_PS_BUFFERING\n"); 112 + sf += scnprintf(buf + sf, mxln - sf, 113 + "HOST_BCAST_PS_BUFFERING\n"); 114 114 if (local->hw.flags & IEEE80211_HW_2GHZ_SHORT_SLOT_INCAPABLE) 115 - sf += snprintf(buf + sf, mxln - sf, 116 - "2GHZ_SHORT_SLOT_INCAPABLE\n"); 115 + sf += scnprintf(buf + sf, mxln - sf, 116 + "2GHZ_SHORT_SLOT_INCAPABLE\n"); 117 117 if (local->hw.flags & IEEE80211_HW_2GHZ_SHORT_PREAMBLE_INCAPABLE) 118 - sf += snprintf(buf + sf, mxln - sf, 119 - "2GHZ_SHORT_PREAMBLE_INCAPABLE\n"); 118 + sf += scnprintf(buf + sf, mxln - sf, 119 + "2GHZ_SHORT_PREAMBLE_INCAPABLE\n"); 120 120 if (local->hw.flags & IEEE80211_HW_SIGNAL_UNSPEC) 121 - sf += snprintf(buf + sf, mxln - sf, "SIGNAL_UNSPEC\n"); 121 + sf += scnprintf(buf + sf, mxln - sf, "SIGNAL_UNSPEC\n"); 122 122 if (local->hw.flags & IEEE80211_HW_SIGNAL_DBM) 123 - sf += snprintf(buf + sf, mxln - sf, "SIGNAL_DBM\n"); 123 + sf += scnprintf(buf + sf, mxln - sf, "SIGNAL_DBM\n"); 124 124 if (local->hw.flags & IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC) 125 - sf += snprintf(buf + sf, mxln - sf, "NEED_DTIM_BEFORE_ASSOC\n"); 125 + sf += scnprintf(buf + sf, mxln - sf, 126 + "NEED_DTIM_BEFORE_ASSOC\n"); 126 127 if (local->hw.flags & IEEE80211_HW_SPECTRUM_MGMT) 127 - sf += snprintf(buf + sf, mxln - sf, "SPECTRUM_MGMT\n"); 128 + sf += scnprintf(buf + sf, mxln - sf, "SPECTRUM_MGMT\n"); 128 129 if (local->hw.flags & IEEE80211_HW_AMPDU_AGGREGATION) 129 - sf += snprintf(buf + sf, mxln - sf, "AMPDU_AGGREGATION\n"); 130 + sf += scnprintf(buf + sf, mxln - sf, "AMPDU_AGGREGATION\n"); 130 131 if (local->hw.flags & IEEE80211_HW_SUPPORTS_PS) 131 - sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_PS\n"); 132 + sf += scnprintf(buf + sf, mxln - sf, "SUPPORTS_PS\n"); 132 133 if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) 133 - sf += snprintf(buf + sf, mxln - sf, "PS_NULLFUNC_STACK\n"); 134 + sf += scnprintf(buf + sf, mxln - sf, "PS_NULLFUNC_STACK\n"); 134 135 if (local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_PS) 135 - sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_PS\n"); 136 + sf += scnprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_PS\n"); 136 137 if (local->hw.flags & IEEE80211_HW_MFP_CAPABLE) 137 - sf += snprintf(buf + sf, mxln - sf, "MFP_CAPABLE\n"); 138 + sf += scnprintf(buf + sf, mxln - sf, "MFP_CAPABLE\n"); 138 139 if (local->hw.flags & IEEE80211_HW_SUPPORTS_STATIC_SMPS) 139 - sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_STATIC_SMPS\n"); 140 + sf += scnprintf(buf + sf, mxln - sf, "SUPPORTS_STATIC_SMPS\n"); 140 141 if (local->hw.flags & IEEE80211_HW_SUPPORTS_DYNAMIC_SMPS) 141 - sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_DYNAMIC_SMPS\n"); 142 + sf += scnprintf(buf + sf, mxln - sf, 143 + "SUPPORTS_DYNAMIC_SMPS\n"); 142 144 if (local->hw.flags & IEEE80211_HW_SUPPORTS_UAPSD) 143 - sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_UAPSD\n"); 145 + sf += scnprintf(buf + sf, mxln - sf, "SUPPORTS_UAPSD\n"); 144 146 if (local->hw.flags & IEEE80211_HW_REPORTS_TX_ACK_STATUS) 145 - sf += snprintf(buf + sf, mxln - sf, "REPORTS_TX_ACK_STATUS\n"); 147 + sf += scnprintf(buf + sf, mxln - sf, 148 + "REPORTS_TX_ACK_STATUS\n"); 146 149 if (local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR) 147 - sf += snprintf(buf + sf, mxln - sf, "CONNECTION_MONITOR\n"); 150 + sf += scnprintf(buf + sf, mxln - sf, "CONNECTION_MONITOR\n"); 148 151 if (local->hw.flags & IEEE80211_HW_SUPPORTS_PER_STA_GTK) 149 - sf += snprintf(buf + sf, mxln - sf, "SUPPORTS_PER_STA_GTK\n"); 152 + sf += scnprintf(buf + sf, mxln - sf, "SUPPORTS_PER_STA_GTK\n"); 150 153 if (local->hw.flags & IEEE80211_HW_AP_LINK_PS) 151 - sf += snprintf(buf + sf, mxln - sf, "AP_LINK_PS\n"); 154 + sf += scnprintf(buf + sf, mxln - sf, "AP_LINK_PS\n"); 152 155 if (local->hw.flags & IEEE80211_HW_TX_AMPDU_SETUP_IN_HW) 153 - sf += snprintf(buf + sf, mxln - sf, "TX_AMPDU_SETUP_IN_HW\n"); 156 + sf += scnprintf(buf + sf, mxln - sf, "TX_AMPDU_SETUP_IN_HW\n"); 154 157 155 158 rv = simple_read_from_buffer(user_buf, count, ppos, buf, strlen(buf)); 156 159 kfree(buf);

+13 -13

net/mac80211/rc80211_pid_debugfs.c

··· 167 167 * provide large enough buffers. */ 168 168 length = length < RC_PID_PRINT_BUF_SIZE ? 169 169 length : RC_PID_PRINT_BUF_SIZE; 170 - p = snprintf(pb, length, "%u %lu ", ev->id, ev->timestamp); 170 + p = scnprintf(pb, length, "%u %lu ", ev->id, ev->timestamp); 171 171 switch (ev->type) { 172 172 case RC_PID_EVENT_TYPE_TX_STATUS: 173 - p += snprintf(pb + p, length - p, "tx_status %u %u", 174 - !(ev->data.flags & IEEE80211_TX_STAT_ACK), 175 - ev->data.tx_status.status.rates[0].idx); 173 + p += scnprintf(pb + p, length - p, "tx_status %u %u", 174 + !(ev->data.flags & IEEE80211_TX_STAT_ACK), 175 + ev->data.tx_status.status.rates[0].idx); 176 176 break; 177 177 case RC_PID_EVENT_TYPE_RATE_CHANGE: 178 - p += snprintf(pb + p, length - p, "rate_change %d %d", 179 - ev->data.index, ev->data.rate); 178 + p += scnprintf(pb + p, length - p, "rate_change %d %d", 179 + ev->data.index, ev->data.rate); 180 180 break; 181 181 case RC_PID_EVENT_TYPE_TX_RATE: 182 - p += snprintf(pb + p, length - p, "tx_rate %d %d", 183 - ev->data.index, ev->data.rate); 182 + p += scnprintf(pb + p, length - p, "tx_rate %d %d", 183 + ev->data.index, ev->data.rate); 184 184 break; 185 185 case RC_PID_EVENT_TYPE_PF_SAMPLE: 186 - p += snprintf(pb + p, length - p, 187 - "pf_sample %d %d %d %d", 188 - ev->data.pf_sample, ev->data.prop_err, 189 - ev->data.int_err, ev->data.der_err); 186 + p += scnprintf(pb + p, length - p, 187 + "pf_sample %d %d %d %d", 188 + ev->data.pf_sample, ev->data.prop_err, 189 + ev->data.int_err, ev->data.der_err); 190 190 break; 191 191 } 192 - p += snprintf(pb + p, length - p, "\n"); 192 + p += scnprintf(pb + p, length - p, "\n"); 193 193 194 194 spin_unlock_irqrestore(&events->lock, status); 195 195

+12 -10

net/wireless/debugfs.c

··· 47 47 return 0; 48 48 49 49 if (chan->flags & IEEE80211_CHAN_DISABLED) 50 - return snprintf(buf + offset, 51 - buf_size - offset, 52 - "%d Disabled\n", 53 - chan->center_freq); 50 + return scnprintf(buf + offset, 51 + buf_size - offset, 52 + "%d Disabled\n", 53 + chan->center_freq); 54 54 55 - return snprintf(buf + offset, 56 - buf_size - offset, 57 - "%d HT40 %c%c\n", 58 - chan->center_freq, 59 - (chan->flags & IEEE80211_CHAN_NO_HT40MINUS) ? ' ' : '-', 60 - (chan->flags & IEEE80211_CHAN_NO_HT40PLUS) ? ' ' : '+'); 55 + return scnprintf(buf + offset, 56 + buf_size - offset, 57 + "%d HT40 %c%c\n", 58 + chan->center_freq, 59 + (chan->flags & IEEE80211_CHAN_NO_HT40MINUS) ? 60 + ' ' : '-', 61 + (chan->flags & IEEE80211_CHAN_NO_HT40PLUS) ? 62 + ' ' : '+'); 61 63 } 62 64 63 65 static ssize_t ht40allow_map_read(struct file *file,