| Message ID | 20200311092807.24308-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 3010518964dc96c41848a05a5b0ec11ccf8d5ebe |
| Headers | show |
| Series | thunderbolt: Use scnprintf() for avoiding potential buffer overflow | expand |
On Wed, Mar 11, 2020 at 10:28:07AM +0100, Takashi Iwai wrote: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> Applied to thunderbolt.git/next, thanks!
diff --git a/drivers/thunderbolt/domain.c b/drivers/thunderbolt/domain.c index b7980c856898..68c1b93ac5d9 100644 --- a/drivers/thunderbolt/domain.c +++ b/drivers/thunderbolt/domain.c @@ -147,10 +147,10 @@ static ssize_t boot_acl_show(struct device *dev, struct device_attribute *attr, for (ret = 0, i = 0; i < tb->nboot_acl; i++) { if (!uuid_is_null(&uuids[i])) - ret += snprintf(buf + ret, PAGE_SIZE - ret, "%pUb", + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "%pUb", &uuids[i]); - ret += snprintf(buf + ret, PAGE_SIZE - ret, "%s", + ret += scnprintf(buf + ret, PAGE_SIZE - ret, "%s", i < tb->nboot_acl - 1 ? "," : "\n"); }
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/thunderbolt/domain.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)