From 190c8f721adc01840a67dbcf44905e3f1fa638ef Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Thu, 19 Mar 2020 17:13:00 +0100 Subject: [PATCH] staging: vc04_services: Use scnprintf() for avoiding potential buffer overflow Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Reviewed-by: Nicolas Saenz Julienne Cc: Greg Kroah-Hartman Cc: bcm-kernel-feedback-list@broadcom.com Cc: linux-rpi-kernel@lists.infradead.org Cc: devel@driverdev.osuosl.org Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20200319161300.25967-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman --- .../staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c index b377f18aed45..a1ea9777a444 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c @@ -2161,17 +2161,17 @@ int vchiq_dump_platform_service_state(void *dump_context, char buf[80]; int len; - len = snprintf(buf, sizeof(buf), " instance %pK", service->instance); + len = scnprintf(buf, sizeof(buf), " instance %pK", service->instance); if ((service->base.callback == service_callback) && user_service->is_vchi) { - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, ", %d/%d messages", user_service->msg_insert - user_service->msg_remove, MSG_QUEUE_SIZE); if (user_service->dequeue_pending) - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " (dequeue pending)"); } -- 2.30.2