staging: vc04_services: Use scnprintf() for avoiding potential buffer overflow
authorTakashi Iwai <tiwai@suse.de>
Thu, 19 Mar 2020 16:13:00 +0000 (17:13 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 19 Mar 2020 16:31:12 +0000 (17:31 +0100)
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: bcm-kernel-feedback-list@broadcom.com
Cc: linux-rpi-kernel@lists.infradead.org
Cc: devel@driverdev.osuosl.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200319161300.25967-1-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c

index b377f18aed45393775b9375444963ba3ff7b3ce4..a1ea9777a4445842522015bd95f701f745401e48 100644 (file)
@@ -2161,17 +2161,17 @@ int vchiq_dump_platform_service_state(void *dump_context,
        char buf[80];
        int len;
 
-       len = snprintf(buf, sizeof(buf), "  instance %pK", service->instance);
+       len = scnprintf(buf, sizeof(buf), "  instance %pK", service->instance);
 
        if ((service->base.callback == service_callback) &&
                user_service->is_vchi) {
-               len += snprintf(buf + len, sizeof(buf) - len,
+               len += scnprintf(buf + len, sizeof(buf) - len,
                        ", %d/%d messages",
                        user_service->msg_insert - user_service->msg_remove,
                        MSG_QUEUE_SIZE);
 
                if (user_service->dequeue_pending)
-                       len += snprintf(buf + len, sizeof(buf) - len,
+                       len += scnprintf(buf + len, sizeof(buf) - len,
                                " (dequeue pending)");
        }