| Message ID | 20200319154641.23711-1-tiwai@suse.de (mailing list archive) |
|---|---|
| State | Mainlined |
| Commit | 23ab5261e29b6b95803ee8dc919ae76e260b358d |
| Delegated to: | Jason Gunthorpe |
| Headers | show |
| Series | infiniband: hfi1: Use scnprintf() for avoiding potential buffer overflow | expand |
On Thu, Mar 19, 2020 at 04:46:41PM +0100, Takashi Iwai wrote: > Since snprintf() returns the would-be-output size instead of the > actual output size, the succeeding calls may go beyond the given > buffer limit. Fix it by replacing with scnprintf(). > > Cc: Mike Marciniszyn <mike.marciniszyn@intel.com> > Cc: Dennis Dalessandro <dennis.dalessandro@intel.com> > Cc: Doug Ledford <dledford@redhat.com> > Cc: Jason Gunthorpe <jgg@ziepe.ca> > Cc: linux-rdma@vger.kernel.org > Signed-off-by: Takashi Iwai <tiwai@suse.de> > --- > drivers/infiniband/hw/hfi1/fault.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) Applied to for-next, thanks Jason
diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c index 986c12153e62..0dfbcfb048ca 100644 --- a/drivers/infiniband/hw/hfi1/fault.c +++ b/drivers/infiniband/hw/hfi1/fault.c @@ -222,11 +222,11 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf, while (bit < bitsize) { zero = find_next_zero_bit(fault->opcodes, bitsize, bit); if (zero - 1 != bit) - size += snprintf(data + size, + size += scnprintf(data + size, datalen - size - 1, "0x%lx-0x%lx,", bit, zero - 1); else - size += snprintf(data + size, + size += scnprintf(data + size, datalen - size - 1, "0x%lx,", bit); bit = find_next_bit(fault->opcodes, bitsize, zero);
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Mike Marciniszyn <mike.marciniszyn@intel.com> Cc: Dennis Dalessandro <dennis.dalessandro@intel.com> Cc: Doug Ledford <dledford@redhat.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: linux-rdma@vger.kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de> --- drivers/infiniband/hw/hfi1/fault.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)