net: nfp: Use scnprintf() for avoiding potential buffer overflow
authorTakashi Iwai <tiwai@suse.de>
Sun, 15 Mar 2020 09:35:00 +0000 (10:35 +0100)
committerDavid S. Miller <davem@davemloft.net>
Mon, 16 Mar 2020 00:06:22 +0000 (17:06 -0700)
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Reviewed-by: Simon Horman <simon.horman@netronome.com>
Cc: "David S . Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: oss-drivers@netronome.com
To: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c

index b454db283aefce409ed1db14ebe638c6e6d420b0..684e4e036c556d947d72be4e048b39d007876365 100644 (file)
@@ -616,7 +616,7 @@ static int enable_bars(struct nfp6000_pcie *nfp, u16 interface)
        if (bar->iomem) {
                int pf;
 
-               msg += snprintf(msg, end - msg, "0.0: General/MSI-X SRAM, ");
+               msg += scnprintf(msg, end - msg, "0.0: General/MSI-X SRAM, ");
                atomic_inc(&bar->refcnt);
                bars_free--;
 
@@ -661,7 +661,7 @@ static int enable_bars(struct nfp6000_pcie *nfp, u16 interface)
 
        /* Configure, and lock, BAR0.1 for PCIe XPB (MSI-X PBA) */
        bar = &nfp->bar[1];
-       msg += snprintf(msg, end - msg, "0.1: PCIe XPB/MSI-X PBA, ");
+       msg += scnprintf(msg, end - msg, "0.1: PCIe XPB/MSI-X PBA, ");
        atomic_inc(&bar->refcnt);
        bars_free--;
 
@@ -680,8 +680,8 @@ static int enable_bars(struct nfp6000_pcie *nfp, u16 interface)
                bar->iomem = ioremap(nfp_bar_resource_start(bar),
                                             nfp_bar_resource_len(bar));
                if (bar->iomem) {
-                       msg += snprintf(msg, end - msg,
-                                       "0.%d: Explicit%d, ", 4 + i, i);
+                       msg += scnprintf(msg, end - msg,
+                                        "0.%d: Explicit%d, ", 4 + i, i);
                        atomic_inc(&bar->refcnt);
                        bars_free--;