Message ID | 20210419140152.180361-1-colin.king@canonical.com |
---|---|
State | Superseded |
Headers | show |
Series | [next] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size Content-Type: text/plain; charset="utf-8" | expand |
On Mon, Apr 19, 2021 at 4:01 PM Colin King <colin.king@canonical.com> wrote: > > From: Colin Ian King <colin.king@canonical.com> > > The size of the buffer than can be written to is currently incorrect, it is > always the size of the entire buffer even though the snprintf is writing > as position pos into the buffer. Fix this by setting the buffer size to be > the number of bytes left in the buffer, namely sizeof(buf) - pos. > > Addresses-Coverity: ("Out-of-bounds access") > Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs") > Signed-off-by: Colin Ian King <colin.king@canonical.com> Acked-by: Arnd Bergmann <arnd@arndb.de>
diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h index 715edfa5f89f..a9e13e6d65c5 100644 --- a/drivers/net/wireless/ti/wlcore/debugfs.h +++ b/drivers/net/wireless/ti/wlcore/debugfs.h @@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file, \ wl1271_debugfs_update_stats(wl); \ \ for (i = 0; i < len && pos < sizeof(buf); i++) \ - pos += snprintf(buf + pos, sizeof(buf), \ + pos += snprintf(buf + pos, sizeof(buf) - pos, \ "[%d] = %d\n", i, stats->sub.name[i]); \ \ return wl1271_format_buffer(userbuf, count, ppos, "%s", buf); \