diff mbox series

[net-next,01/29] can: slcan: use scnprintf() as a hardening measure

Message ID 20220720081034.3277385-2-mkl@pengutronix.de (mailing list archive)
State Accepted
Commit 0159a9305d401fd21a1cda5e7baaf62122c46a5b
Delegated to: Netdev Maintainers
Headers show
Series [net-next,01/29] can: slcan: use scnprintf() as a hardening measure | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix success Link
netdev/cover_letter success Pull request is its own cover letter
netdev/patch_count warning Series longer than 15 patches
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 2 this patch: 2
netdev/cc_maintainers fail 1 blamed authors not CCed: dario.binacchi@amarulasolutions.com; 4 maintainers not CCed: wg@grandegger.com pabeni@redhat.com dario.binacchi@amarulasolutions.com edumazet@google.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 2 this patch: 2
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Marc Kleine-Budde July 20, 2022, 8:10 a.m. UTC 
From: Dan Carpenter <dan.carpenter@oracle.com>

The snprintf() function returns the number of bytes which *would* have
been copied if there were no space. So, since this code does not check
the return value, there if the buffer was not large enough then there
would be a buffer overflow two lines later when it does:

	actual = sl->tty->ops->write(sl->tty, sl->xbuff, n);

Use scnprintf() instead because that returns the number of bytes which
were actually copied.

Fixes: 52f9ac85b876 ("can: slcan: allow to send commands to the adapter")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/all/YsVA9KoY/ZSvNGYk@kili
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 drivers/net/can/slcan/slcan-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


base-commit: e22c88799f2629088504e1357384f2ec3798da46

Comments

patchwork-bot+netdevbpf@kernel.org July 20, 2022, 9:30 a.m. UTC | #1 
Hello:

This series was applied to netdev/net-next.git (master)
by Marc Kleine-Budde <mkl@pengutronix.de>:

On Wed, 20 Jul 2022 10:10:06 +0200 you wrote:
> From: Dan Carpenter <dan.carpenter@oracle.com>
> 
> The snprintf() function returns the number of bytes which *would* have
> been copied if there were no space. So, since this code does not check
> the return value, there if the buffer was not large enough then there
> would be a buffer overflow two lines later when it does:
> 
> [...]

Here is the summary with links:
  - [net-next,01/29] can: slcan: use scnprintf() as a hardening measure
    https://git.kernel.org/netdev/net-next/c/0159a9305d40
  - [net-next,02/29] can: slcan: convert comments to network style comments
    https://git.kernel.org/netdev/net-next/c/71f3a4cc740a
  - [net-next,03/29] can: slcan: slcan_init() convert printk(LEVEL ...) to pr_level()
    https://git.kernel.org/netdev/net-next/c/ded5fa885b2d
  - [net-next,04/29] can: slcan: fix whitespace issues
    https://git.kernel.org/netdev/net-next/c/f07d9e3c849b
  - [net-next,05/29] can: slcan: convert comparison to NULL into !val
    https://git.kernel.org/netdev/net-next/c/69a6539632dd
  - [net-next,06/29] can: slcan: clean up if/else
    https://git.kernel.org/netdev/net-next/c/18de712a5802
  - [net-next,07/29] dt-bindings: can: sja1000: Convert to json-schema
    https://git.kernel.org/netdev/net-next/c/f6b8061db9af
  - [net-next,08/29] dt-bindings: can: nxp,sja1000: Document RZ/N1{D,S} support
    https://git.kernel.org/netdev/net-next/c/4591c760b797
  - [net-next,09/29] can: sja1000: Add Quirk for RZ/N1 SJA1000 CAN controller
    https://git.kernel.org/netdev/net-next/c/2d99bfbf3386
  - [net-next,10/29] can: sja1000: Use device_get_match_data to get device data
    https://git.kernel.org/netdev/net-next/c/63ab1b63695e
  - [net-next,11/29] can: sja1000: Change the return type as void for SoC specific init
    https://git.kernel.org/netdev/net-next/c/6d5fe10796bb
  - [net-next,12/29] can: slcan: do not sleep with a spin lock held
    https://git.kernel.org/netdev/net-next/c/c6887023268e
  - [net-next,13/29] can: c_can: remove wrong comment
    https://git.kernel.org/netdev/net-next/c/4940eb51fc49
  - [net-next,14/29] can: ctucanfd: Update CTU CAN FD IP core registers to match version 3.x.
    https://git.kernel.org/netdev/net-next/c/9e7c9b8eb719
  - [net-next,15/29] can: peak_usb: pcan_dump_mem(): mark input prompt and data pointer as const
    https://git.kernel.org/netdev/net-next/c/92505df464ff
  - [net-next,16/29] can: peak_usb: correction of an initially misnamed field name
    https://git.kernel.org/netdev/net-next/c/a0cf2fe6cf2e
  - [net-next,17/29] can: peak_usb: include support for a new MCU
    https://git.kernel.org/netdev/net-next/c/4f232482467a
  - [net-next,18/29] can: pch_can: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/3a5c7e4611dd
  - [net-next,19/29] can: rcar_can: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/a37b7245e831
  - [net-next,20/29] can: sja1000: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/164d7cb2d5a3
  - [net-next,21/29] can: slcan: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/ce0e7aeb676b
  - [net-next,22/29] can: hi311x: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/a22bd630cfff
  - [net-next,23/29] can: sun4i_can: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/0ac15a8f661b
  - [net-next,24/29] can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/936e90595376
  - [net-next,25/29] can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/a57732084e06
  - [net-next,26/29] can: usb_8dev: do not report txerr and rxerr during bus-off
    https://git.kernel.org/netdev/net-next/c/aebe8a2433cd
  - [net-next,27/29] can: error: specify the values of data[5..7] of CAN error frames
    https://git.kernel.org/netdev/net-next/c/e70a3263a7ee
  - [net-next,28/29] can: add CAN_ERR_CNT flag to notify availability of error counter
    https://git.kernel.org/netdev/net-next/c/3e5c291c7942
  - [net-next,29/29] can: error: add definitions for the different CAN error thresholds
    https://git.kernel.org/netdev/net-next/c/3f9c26210cf8

You are awesome, thank you!
diff mbox series

Patch

diff --git a/drivers/net/can/slcan/slcan-core.c b/drivers/net/can/slcan/slcan-core.c
index 54d29a410ad5..92bdd49996d1 100644
--- a/drivers/net/can/slcan/slcan-core.c
+++ b/drivers/net/can/slcan/slcan-core.c
@@ -647,7 +647,7 @@  static int slcan_transmit_cmd(struct slcan *sl, const unsigned char *cmd)
 		return -ENODEV;
 	}
 
-	n = snprintf(sl->xbuff, sizeof(sl->xbuff), "%s", cmd);
+	n = scnprintf(sl->xbuff, sizeof(sl->xbuff), "%s", cmd);
 	set_bit(TTY_DO_WRITE_WAKEUP, &sl->tty->flags);
 	actual = sl->tty->ops->write(sl->tty, sl->xbuff, n);
 	sl->xleft = n - actual;