From patchwork Wed Mar 11 08:47:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 216328 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EF6E6C10F27 for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B0D0420637 for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728732AbgCKIrW (ORCPT ); Wed, 11 Mar 2020 04:47:22 -0400 Received: from mx2.suse.de ([195.135.220.15]:55836 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728263AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 9D9B8AEC1; Wed, 11 Mar 2020 08:47:18 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Jiri Slaby , Nick Kossifidis , Luis Chamberlain Subject: [PATCH 2/7] ath5k: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:08 +0100 Message-Id: <20200311084713.18220-3-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Jiri Slaby Cc: Nick Kossifidis Cc: Luis Chamberlain Signed-off-by: Takashi Iwai --- drivers/net/wireless/ath/ath5k/debug.c | 174 ++++++++++++++++----------------- 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c index 94f70047d3fc..2eaba1ccab20 100644 --- a/drivers/net/wireless/ath/ath5k/debug.c +++ b/drivers/net/wireless/ath/ath5k/debug.c @@ -201,35 +201,35 @@ static ssize_t read_file_beacon(struct file *file, char __user *user_buf, u64 tsf; v = ath5k_hw_reg_read(ah, AR5K_BEACON); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n", "AR5K_BEACON", v, v & AR5K_BEACON_PERIOD, (v & AR5K_BEACON_TIM) >> AR5K_BEACON_TIM_S); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n", "AR5K_LAST_TSTP", ath5k_hw_reg_read(ah, AR5K_LAST_TSTP)); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n\n", "AR5K_BEACON_CNT", ath5k_hw_reg_read(ah, AR5K_BEACON_CNT)); v = ath5k_hw_reg_read(ah, AR5K_TIMER0); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER0 (TBTT)", v, v); v = ath5k_hw_reg_read(ah, AR5K_TIMER1); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER1 (DMA)", v, v >> 3); v = ath5k_hw_reg_read(ah, AR5K_TIMER2); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER2 (SWBA)", v, v >> 3); v = ath5k_hw_reg_read(ah, AR5K_TIMER3); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER3 (ATIM)", v, v); tsf = ath5k_hw_get_tsf64(ah); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "TSF\t\t0x%016llx\tTU: %08x\n", (unsigned long long)tsf, TSF_TO_TU(tsf)); @@ -320,16 +320,16 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf, unsigned int len = 0; unsigned int i; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "DEBUG LEVEL: 0x%08x\n\n", ah->debug.level); for (i = 0; i < ARRAY_SIZE(dbg_info) - 1; i++) { - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%10s %c 0x%08x - %s\n", dbg_info[i].name, ah->debug.level & dbg_info[i].level ? '+' : ' ', dbg_info[i].level, dbg_info[i].desc); } - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%10s %c 0x%08x - %s\n", dbg_info[i].name, ah->debug.level == dbg_info[i].level ? '+' : ' ', dbg_info[i].level, dbg_info[i].desc); @@ -383,60 +383,60 @@ static ssize_t read_file_antenna(struct file *file, char __user *user_buf, unsigned int i; unsigned int v; - len += snprintf(buf + len, sizeof(buf) - len, "antenna mode\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "antenna mode\t%d\n", ah->ah_ant_mode); - len += snprintf(buf + len, sizeof(buf) - len, "default antenna\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "default antenna\t%d\n", ah->ah_def_ant); - len += snprintf(buf + len, sizeof(buf) - len, "tx antenna\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "tx antenna\t%d\n", ah->ah_tx_ant); - len += snprintf(buf + len, sizeof(buf) - len, "\nANTENNA\t\tRX\tTX\n"); + len += scnprintf(buf + len, sizeof(buf) - len, "\nANTENNA\t\tRX\tTX\n"); for (i = 1; i < ARRAY_SIZE(ah->stats.antenna_rx); i++) { - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "[antenna %d]\t%d\t%d\n", i, ah->stats.antenna_rx[i], ah->stats.antenna_tx[i]); } - len += snprintf(buf + len, sizeof(buf) - len, "[invalid]\t%d\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "[invalid]\t%d\t%d\n", ah->stats.antenna_rx[0], ah->stats.antenna_tx[0]); v = ath5k_hw_reg_read(ah, AR5K_DEFAULT_ANTENNA); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nAR5K_DEFAULT_ANTENNA\t0x%08x\n", v); v = ath5k_hw_reg_read(ah, AR5K_STA_ID1); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_DEFAULT_ANTENNA\t%d\n", (v & AR5K_STA_ID1_DEFAULT_ANTENNA) != 0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_DESC_ANTENNA\t%d\n", (v & AR5K_STA_ID1_DESC_ANTENNA) != 0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_RTS_DEF_ANTENNA\t%d\n", (v & AR5K_STA_ID1_RTS_DEF_ANTENNA) != 0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_SELFGEN_DEF_ANT\t%d\n", (v & AR5K_STA_ID1_SELFGEN_DEF_ANT) != 0); v = ath5k_hw_reg_read(ah, AR5K_PHY_AGCCTL); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nAR5K_PHY_AGCCTL_OFDM_DIV_DIS\t%d\n", (v & AR5K_PHY_AGCCTL_OFDM_DIV_DIS) != 0); v = ath5k_hw_reg_read(ah, AR5K_PHY_RESTART); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHY_RESTART_DIV_GC\t\t%x\n", (v & AR5K_PHY_RESTART_DIV_GC) >> AR5K_PHY_RESTART_DIV_GC_S); v = ath5k_hw_reg_read(ah, AR5K_PHY_FAST_ANT_DIV); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHY_FAST_ANT_DIV_EN\t%d\n", (v & AR5K_PHY_FAST_ANT_DIV_EN) != 0); v = ath5k_hw_reg_read(ah, AR5K_PHY_ANT_SWITCH_TABLE_0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nAR5K_PHY_ANT_SWITCH_TABLE_0\t0x%08x\n", v); v = ath5k_hw_reg_read(ah, AR5K_PHY_ANT_SWITCH_TABLE_1); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHY_ANT_SWITCH_TABLE_1\t0x%08x\n", v); if (len > sizeof(buf)) @@ -495,36 +495,36 @@ static ssize_t read_file_misc(struct file *file, char __user *user_buf, unsigned int len = 0; u32 filt = ath5k_hw_get_rx_filter(ah); - len += snprintf(buf + len, sizeof(buf) - len, "bssid-mask: %pM\n", + len += scnprintf(buf + len, sizeof(buf) - len, "bssid-mask: %pM\n", ah->bssidmask); - len += snprintf(buf + len, sizeof(buf) - len, "filter-flags: 0x%x ", + len += scnprintf(buf + len, sizeof(buf) - len, "filter-flags: 0x%x ", filt); if (filt & AR5K_RX_FILTER_UCAST) - len += snprintf(buf + len, sizeof(buf) - len, " UCAST"); + len += scnprintf(buf + len, sizeof(buf) - len, " UCAST"); if (filt & AR5K_RX_FILTER_MCAST) - len += snprintf(buf + len, sizeof(buf) - len, " MCAST"); + len += scnprintf(buf + len, sizeof(buf) - len, " MCAST"); if (filt & AR5K_RX_FILTER_BCAST) - len += snprintf(buf + len, sizeof(buf) - len, " BCAST"); + len += scnprintf(buf + len, sizeof(buf) - len, " BCAST"); if (filt & AR5K_RX_FILTER_CONTROL) - len += snprintf(buf + len, sizeof(buf) - len, " CONTROL"); + len += scnprintf(buf + len, sizeof(buf) - len, " CONTROL"); if (filt & AR5K_RX_FILTER_BEACON) - len += snprintf(buf + len, sizeof(buf) - len, " BEACON"); + len += scnprintf(buf + len, sizeof(buf) - len, " BEACON"); if (filt & AR5K_RX_FILTER_PROM) - len += snprintf(buf + len, sizeof(buf) - len, " PROM"); + len += scnprintf(buf + len, sizeof(buf) - len, " PROM"); if (filt & AR5K_RX_FILTER_XRPOLL) - len += snprintf(buf + len, sizeof(buf) - len, " XRPOLL"); + len += scnprintf(buf + len, sizeof(buf) - len, " XRPOLL"); if (filt & AR5K_RX_FILTER_PROBEREQ) - len += snprintf(buf + len, sizeof(buf) - len, " PROBEREQ"); + len += scnprintf(buf + len, sizeof(buf) - len, " PROBEREQ"); if (filt & AR5K_RX_FILTER_PHYERR_5212) - len += snprintf(buf + len, sizeof(buf) - len, " PHYERR-5212"); + len += scnprintf(buf + len, sizeof(buf) - len, " PHYERR-5212"); if (filt & AR5K_RX_FILTER_RADARERR_5212) - len += snprintf(buf + len, sizeof(buf) - len, " RADARERR-5212"); + len += scnprintf(buf + len, sizeof(buf) - len, " RADARERR-5212"); if (filt & AR5K_RX_FILTER_PHYERR_5211) snprintf(buf + len, sizeof(buf) - len, " PHYERR-5211"); if (filt & AR5K_RX_FILTER_RADARERR_5211) - len += snprintf(buf + len, sizeof(buf) - len, " RADARERR-5211"); + len += scnprintf(buf + len, sizeof(buf) - len, " RADARERR-5211"); - len += snprintf(buf + len, sizeof(buf) - len, "\nopmode: %s (%d)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "\nopmode: %s (%d)\n", ath_opmode_to_string(ah->opmode), ah->opmode); if (len > sizeof(buf)) @@ -551,65 +551,65 @@ static ssize_t read_file_frameerrors(struct file *file, char __user *user_buf, unsigned int len = 0; int i; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "RX\n---------------------\n"); - len += snprintf(buf + len, sizeof(buf) - len, "CRC\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "CRC\t%u\t(%u%%)\n", st->rxerr_crc, st->rx_all_count > 0 ? st->rxerr_crc * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "PHY\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "PHY\t%u\t(%u%%)\n", st->rxerr_phy, st->rx_all_count > 0 ? st->rxerr_phy * 100 / st->rx_all_count : 0); for (i = 0; i < 32; i++) { if (st->rxerr_phy_code[i]) - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " phy_err[%u]\t%u\n", i, st->rxerr_phy_code[i]); } - len += snprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", st->rxerr_fifo, st->rx_all_count > 0 ? st->rxerr_fifo * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "decrypt\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "decrypt\t%u\t(%u%%)\n", st->rxerr_decrypt, st->rx_all_count > 0 ? st->rxerr_decrypt * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "MIC\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "MIC\t%u\t(%u%%)\n", st->rxerr_mic, st->rx_all_count > 0 ? st->rxerr_mic * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "process\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "process\t%u\t(%u%%)\n", st->rxerr_proc, st->rx_all_count > 0 ? st->rxerr_proc * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "jumbo\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "jumbo\t%u\t(%u%%)\n", st->rxerr_jumbo, st->rx_all_count > 0 ? st->rxerr_jumbo * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "[RX all\t%u]\n", + len += scnprintf(buf + len, sizeof(buf) - len, "[RX all\t%u]\n", st->rx_all_count); - len += snprintf(buf + len, sizeof(buf) - len, "RX-all-bytes\t%u\n", + len += scnprintf(buf + len, sizeof(buf) - len, "RX-all-bytes\t%u\n", st->rx_bytes_count); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nTX\n---------------------\n"); - len += snprintf(buf + len, sizeof(buf) - len, "retry\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "retry\t%u\t(%u%%)\n", st->txerr_retry, st->tx_all_count > 0 ? st->txerr_retry * 100 / st->tx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", st->txerr_fifo, st->tx_all_count > 0 ? st->txerr_fifo * 100 / st->tx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "filter\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "filter\t%u\t(%u%%)\n", st->txerr_filt, st->tx_all_count > 0 ? st->txerr_filt * 100 / st->tx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "[TX all\t%u]\n", + len += scnprintf(buf + len, sizeof(buf) - len, "[TX all\t%u]\n", st->tx_all_count); - len += snprintf(buf + len, sizeof(buf) - len, "TX-all-bytes\t%u\n", + len += scnprintf(buf + len, sizeof(buf) - len, "TX-all-bytes\t%u\n", st->tx_bytes_count); if (len > sizeof(buf)) @@ -670,56 +670,56 @@ static ssize_t read_file_ani(struct file *file, char __user *user_buf, char buf[700]; unsigned int len = 0; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "HW has PHY error counters:\t%s\n", ah->ah_capabilities.cap_has_phyerr_counters ? "yes" : "no"); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "HW max spur immunity level:\t%d\n", as->max_spur_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nANI state\n--------------------------------------------\n"); - len += snprintf(buf + len, sizeof(buf) - len, "operating mode:\t\t\t"); + len += scnprintf(buf + len, sizeof(buf) - len, "operating mode:\t\t\t"); switch (as->ani_mode) { case ATH5K_ANI_MODE_OFF: - len += snprintf(buf + len, sizeof(buf) - len, "OFF\n"); + len += scnprintf(buf + len, sizeof(buf) - len, "OFF\n"); break; case ATH5K_ANI_MODE_MANUAL_LOW: - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "MANUAL LOW\n"); break; case ATH5K_ANI_MODE_MANUAL_HIGH: - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "MANUAL HIGH\n"); break; case ATH5K_ANI_MODE_AUTO: - len += snprintf(buf + len, sizeof(buf) - len, "AUTO\n"); + len += scnprintf(buf + len, sizeof(buf) - len, "AUTO\n"); break; default: - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "??? (not good)\n"); break; } - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "noise immunity level:\t\t%d\n", as->noise_imm_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "spur immunity level:\t\t%d\n", as->spur_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "firstep level:\t\t\t%d\n", as->firstep_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "OFDM weak signal detection:\t%s\n", as->ofdm_weak_sig ? "on" : "off"); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "CCK weak signal detection:\t%s\n", as->cck_weak_sig ? "on" : "off"); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nMIB INTERRUPTS:\t\t%u\n", st->mib_intr); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "beacon RSSI average:\t%d\n", (int)ewma_beacon_rssi_read(&ah->ah_beacon_rssi_avg)); @@ -728,35 +728,35 @@ static ssize_t read_file_ani(struct file *file, char __user *user_buf, _struct.cycles > 0 ? \ _struct._field * 100 / _struct.cycles : 0 - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt tx\t\t%u\t(%d%%)\n", CC_PRINT(as->last_cc, tx_frame)); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt rx\t\t%u\t(%d%%)\n", CC_PRINT(as->last_cc, rx_frame)); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt busy\t\t%u\t(%d%%)\n", CC_PRINT(as->last_cc, rx_busy)); #undef CC_PRINT - len += snprintf(buf + len, sizeof(buf) - len, "profcnt cycles\t\t%u\n", + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt cycles\t\t%u\n", as->last_cc.cycles); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "listen time\t\t%d\tlast: %d\n", as->listen_time, as->last_listen); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "OFDM errors\t\t%u\tlast: %u\tsum: %u\n", as->ofdm_errors, as->last_ofdm_errors, as->sum_ofdm_errors); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "CCK errors\t\t%u\tlast: %u\tsum: %u\n", as->cck_errors, as->last_cck_errors, as->sum_cck_errors); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHYERR_CNT1\t%x\t(=%d)\n", ath5k_hw_reg_read(ah, AR5K_PHYERR_CNT1), ATH5K_ANI_OFDM_TRIG_HIGH - (ATH5K_PHYERR_CNT_MAX - ath5k_hw_reg_read(ah, AR5K_PHYERR_CNT1))); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHYERR_CNT2\t%x\t(=%d)\n", ath5k_hw_reg_read(ah, AR5K_PHYERR_CNT2), ATH5K_ANI_CCK_TRIG_HIGH - (ATH5K_PHYERR_CNT_MAX - @@ -836,13 +836,13 @@ static ssize_t read_file_queue(struct file *file, char __user *user_buf, struct ath5k_buf *bf, *bf0; int i, n; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "available txbuffers: %d\n", ah->txbuf_len); for (i = 0; i < ARRAY_SIZE(ah->txqs); i++) { txq = &ah->txqs[i]; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%02d: %ssetup\n", i, txq->setup ? "" : "not "); if (!txq->setup) @@ -854,9 +854,9 @@ static ssize_t read_file_queue(struct file *file, char __user *user_buf, n++; spin_unlock_bh(&txq->lock); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " len: %d bufs: %d\n", txq->txq_len, n); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " stuck: %d\n", txq->txq_stuck); } From patchwork Wed Mar 11 08:47:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 216330 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE134C18E5B for ; Wed, 11 Mar 2020 08:47:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B845820637 for ; Wed, 11 Mar 2020 08:47:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728725AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 Received: from mx2.suse.de ([195.135.220.15]:55850 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728514AbgCKIrU (ORCPT ); Wed, 11 Mar 2020 04:47:20 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id D0209AF2F; Wed, 11 Mar 2020 08:47:18 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Christian Lamparter Subject: [PATCH 3/7] carl9170: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:09 +0100 Message-Id: <20200311084713.18220-4-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Christian Lamparter Signed-off-by: Takashi Iwai --- drivers/net/wireless/ath/carl9170/debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c index a9b6dc17e408..19009aafc4e1 100644 --- a/drivers/net/wireless/ath/carl9170/debug.c +++ b/drivers/net/wireless/ath/carl9170/debug.c @@ -45,7 +45,7 @@ #include "cmd.h" #define ADD(buf, off, max, fmt, args...) \ - off += snprintf(&buf[off], max - off, fmt, ##args); + off += scnprintf(&buf[off], max - off, fmt, ##args); struct carl9170_debugfs_fops { From patchwork Wed Mar 11 08:47:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 216329 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.8 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE, SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F919C18E5C for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 455AB20637 for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728727AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 Received: from mx2.suse.de ([195.135.220.15]:55894 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728688AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 6858DAF8E; Wed, 11 Mar 2020 08:47:19 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Luis Chamberlain Subject: [PATCH 7/7] prism54: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:13 +0100 Message-Id: <20200311084713.18220-8-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Luis Chamberlain Signed-off-by: Takashi Iwai --- drivers/net/wireless/intersil/prism54/oid_mgt.c | 34 ++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/net/wireless/intersil/prism54/oid_mgt.c b/drivers/net/wireless/intersil/prism54/oid_mgt.c index 5705ad925a51..9fd307ca4b6d 100644 --- a/drivers/net/wireless/intersil/prism54/oid_mgt.c +++ b/drivers/net/wireless/intersil/prism54/oid_mgt.c @@ -780,17 +780,17 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) { switch (isl_oid[n].flags & OID_FLAG_TYPE) { case OID_TYPE_U32: - return snprintf(str, PRIV_STR_SIZE, "%u\n", r->u); + return scnprintf(str, PRIV_STR_SIZE, "%u\n", r->u); case OID_TYPE_BUFFER:{ struct obj_buffer *buff = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "size=%u\naddr=0x%X\n", buff->size, buff->addr); } break; case OID_TYPE_BSS:{ struct obj_bss *bss = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "age=%u\nchannel=%u\n" "capinfo=0x%X\nrates=0x%X\n" "basic_rates=0x%X\n", bss->age, @@ -801,9 +801,9 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_BSSLIST:{ struct obj_bsslist *list = r->ptr; int i, k; - k = snprintf(str, PRIV_STR_SIZE, "nr=%u\n", list->nr); + k = scnprintf(str, PRIV_STR_SIZE, "nr=%u\n", list->nr); for (i = 0; i < list->nr; i++) - k += snprintf(str + k, PRIV_STR_SIZE - k, + k += scnprintf(str + k, PRIV_STR_SIZE - k, "bss[%u] :\nage=%u\nchannel=%u\n" "capinfo=0x%X\nrates=0x%X\n" "basic_rates=0x%X\n", @@ -819,23 +819,23 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) struct obj_frequencies *freq = r->ptr; int i, t; printk("nr : %u\n", freq->nr); - t = snprintf(str, PRIV_STR_SIZE, "nr=%u\n", freq->nr); + t = scnprintf(str, PRIV_STR_SIZE, "nr=%u\n", freq->nr); for (i = 0; i < freq->nr; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "mhz[%u]=%u\n", i, freq->mhz[i]); return t; } break; case OID_TYPE_MLME:{ struct obj_mlme *mlme = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=0x%X\nstate=0x%X\ncode=0x%X\n", mlme->id, mlme->state, mlme->code); } break; case OID_TYPE_MLMEEX:{ struct obj_mlmeex *mlme = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=0x%X\nstate=0x%X\n" "code=0x%X\nsize=0x%X\n", mlme->id, mlme->state, mlme->code, mlme->size); @@ -843,7 +843,7 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) break; case OID_TYPE_ATTACH:{ struct obj_attachment *attach = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=%d\nsize=%d\n", attach->id, attach->size); @@ -851,7 +851,7 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) break; case OID_TYPE_SSID:{ struct obj_ssid *ssid = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "length=%u\noctets=%.*s\n", ssid->length, ssid->length, ssid->octets); @@ -860,13 +860,13 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_KEY:{ struct obj_key *key = r->ptr; int t, i; - t = snprintf(str, PRIV_STR_SIZE, + t = scnprintf(str, PRIV_STR_SIZE, "type=0x%X\nlength=0x%X\nkey=0x", key->type, key->length); for (i = 0; i < key->length; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "%02X:", key->key[i]); - t += snprintf(str + t, PRIV_STR_SIZE - t, "\n"); + t += scnprintf(str + t, PRIV_STR_SIZE - t, "\n"); return t; } break; @@ -874,11 +874,11 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_ADDR:{ unsigned char *buff = r->ptr; int t, i; - t = snprintf(str, PRIV_STR_SIZE, "hex data="); + t = scnprintf(str, PRIV_STR_SIZE, "hex data="); for (i = 0; i < isl_oid[n].size; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "%02X:", buff[i]); - t += snprintf(str + t, PRIV_STR_SIZE - t, "\n"); + t += scnprintf(str + t, PRIV_STR_SIZE - t, "\n"); return t; } break;