| Message ID | 1452102241-4732-1-git-send-email-wuninsu@gmail.com (mailing list archive) |
|---|---|
| State | Accepted, archived |
| Headers | show |
> Signed-off-by: Insu Yun <wuninsu@gmail.com> Thanks for making the changes. Reviewed-by: Shane Seymour <shane.seymour@hpe.com> -- To unsubscribe from this list: send the line "unsubscribe linux-scsi" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
>>>>> "Insu" == Insu Yun <wuninsu@gmail.com> writes:
Insu> Return value of snprintf is not bound by size value, 2nd argument.
Insu> (https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html).
Insu> Return value is number of printed chars, can be larger than 2nd
Insu> argument. Therefore, it can write null byte out of bounds
Insu> ofbuffer. Since snprintf puts null, it does not need to put
Insu> additional null byte.
Applied to 4.5/scsi-queue.
diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c index 536cd5a..1c3759b 100644 --- a/drivers/scsi/ipr.c +++ b/drivers/scsi/ipr.c @@ -4003,13 +4003,12 @@ static ssize_t ipr_store_update_fw(struct device *dev, struct ipr_sglist *sglist; char fname[100]; char *src; - int len, result, dnld_size; + int result, dnld_size; if (!capable(CAP_SYS_ADMIN)) return -EACCES; - len = snprintf(fname, 99, "%s", buf); - fname[len-1] = '\0'; + snprintf(fname, sizeof(fname), "%s", buf); if (request_firmware(&fw_entry, fname, &ioa_cfg->pdev->dev)) { dev_err(&ioa_cfg->pdev->dev, "Firmware file %s not found\n", fname);
Return value of snprintf is not bound by size value, 2nd argument. (https://www.kernel.org/doc/htmldocs/kernel-api/API-snprintf.html). Return value is number of printed chars, can be larger than 2nd argument. Therefore, it can write null byte out of bounds ofbuffer. Since snprintf puts null, it does not need to put additional null byte. Signed-off-by: Insu Yun <wuninsu@gmail.com> --- drivers/scsi/ipr.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)