| Message ID | 20200311071341.4339-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | Mainlined, archived |
| Headers | show |
| Series | cpufreq: Use scnprintf() for avoiding potential buffer overflow | expand |
On 11-03-20, 08:13, Takashi Iwai wrote: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > drivers/cpufreq/cpufreq_stats.c | 14 +++++++------- > 1 file changed, 7 insertions(+), 7 deletions(-) > > diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c > index f9bcf0f3ea30..94d959a8e954 100644 > --- a/drivers/cpufreq/cpufreq_stats.c > +++ b/drivers/cpufreq/cpufreq_stats.c > @@ -90,35 +90,35 @@ static ssize_t show_trans_table(struct cpufreq_policy *policy, char *buf) > if (policy->fast_switch_enabled) > return 0; > > - len += snprintf(buf + len, PAGE_SIZE - len, " From : To\n"); > - len += snprintf(buf + len, PAGE_SIZE - len, " : "); > + len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n"); > + len += scnprintf(buf + len, PAGE_SIZE - len, " : "); > for (i = 0; i < stats->state_num; i++) { > if (len >= PAGE_SIZE) > break; > - len += snprintf(buf + len, PAGE_SIZE - len, "%9u ", > + len += scnprintf(buf + len, PAGE_SIZE - len, "%9u ", > stats->freq_table[i]); > } > if (len >= PAGE_SIZE) > return PAGE_SIZE; > > - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); > + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); > > for (i = 0; i < stats->state_num; i++) { > if (len >= PAGE_SIZE) > break; > > - len += snprintf(buf + len, PAGE_SIZE - len, "%9u: ", > + len += scnprintf(buf + len, PAGE_SIZE - len, "%9u: ", > stats->freq_table[i]); > > for (j = 0; j < stats->state_num; j++) { > if (len >= PAGE_SIZE) > break; > - len += snprintf(buf + len, PAGE_SIZE - len, "%9u ", > + len += scnprintf(buf + len, PAGE_SIZE - len, "%9u ", > stats->trans_table[i*stats->max_state+j]); > } > if (len >= PAGE_SIZE) > break; > - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); > + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); > } > > if (len >= PAGE_SIZE) { Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
diff --git a/drivers/cpufreq/cpufreq_stats.c b/drivers/cpufreq/cpufreq_stats.c index f9bcf0f3ea30..94d959a8e954 100644 --- a/drivers/cpufreq/cpufreq_stats.c +++ b/drivers/cpufreq/cpufreq_stats.c @@ -90,35 +90,35 @@ static ssize_t show_trans_table(struct cpufreq_policy *policy, char *buf) if (policy->fast_switch_enabled) return 0; - len += snprintf(buf + len, PAGE_SIZE - len, " From : To\n"); - len += snprintf(buf + len, PAGE_SIZE - len, " : "); + len += scnprintf(buf + len, PAGE_SIZE - len, " From : To\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, " : "); for (i = 0; i < stats->state_num; i++) { if (len >= PAGE_SIZE) break; - len += snprintf(buf + len, PAGE_SIZE - len, "%9u ", + len += scnprintf(buf + len, PAGE_SIZE - len, "%9u ", stats->freq_table[i]); } if (len >= PAGE_SIZE) return PAGE_SIZE; - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); for (i = 0; i < stats->state_num; i++) { if (len >= PAGE_SIZE) break; - len += snprintf(buf + len, PAGE_SIZE - len, "%9u: ", + len += scnprintf(buf + len, PAGE_SIZE - len, "%9u: ", stats->freq_table[i]); for (j = 0; j < stats->state_num; j++) { if (len >= PAGE_SIZE) break; - len += snprintf(buf + len, PAGE_SIZE - len, "%9u ", + len += scnprintf(buf + len, PAGE_SIZE - len, "%9u ", stats->trans_table[i*stats->max_state+j]); } if (len >= PAGE_SIZE) break; - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); } if (len >= PAGE_SIZE) {
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/cpufreq/cpufreq_stats.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)