diff mbox series

[net-next,v2,2/2] bnxt_en: avoid truncation of per rx run debugfs filename

Message ID 20240813-bnxt-str-v2-2-872050a157e7@kernel.org (mailing list archive)
State Accepted
Commit 1418e9ab3e2e2f3aad3b1f93e9e4472160132755
Delegated to: Netdev Maintainers
Headers show
Series bnxt_en: address string truncation | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for net-next
netdev/ynl success Generated files up to date; no warnings/errors; no diff in generated;
netdev/fixes_present success Fixes tag not required for -next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 29 this patch: 29
netdev/build_tools success No tools touched, skip
netdev/cc_maintainers success CCed 5 of 5 maintainers
netdev/build_clang success Errors and warnings before: 29 this patch: 29
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 30 this patch: 29
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 11 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
netdev/contest warning net-next-2024-08-14--00-00 (tests: 708)

Commit Message

Simon Horman Aug. 13, 2024, 2:32 p.m. UTC 
Although it seems unlikely in practice - there would need to be
rx ring indexes greater than 10^10 - it is theoretically possible
for the filename of per rx ring debugfs files to be truncated.

This is because although a 16 byte buffer is provided, the length
of the filename is restricted to 10 bytes. Remove this restriction
and allow the entire buffer to be used.

Also reduce the buffer to 12 bytes, which is sufficient.

Given that the range of rx ring indexes likely much smaller than the
maximum range of a 32-bit signed integer, a smaller buffer could be
used, with some further changes.  But this change seems simple, robust,
and has minimal stack overhead.

Flagged by gcc-14:

  .../bnxt_debugfs.c: In function 'bnxt_debug_dev_init':
  drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c:69:30: warning: '%d' directive output may be truncated writing between 1 and 11 bytes into a region of size 10 [-Wformat-truncation=]
     69 |         snprintf(qname, 10, "%d", ring_idx);
        |                              ^~
  In function 'debugfs_dim_ring_init',
      inlined from 'bnxt_debug_dev_init' at .../bnxt_debugfs.c:87:4:
  .../bnxt_debugfs.c:69:29: note: directive argument in the range [-2147483643, 2147483646]
     69 |         snprintf(qname, 10, "%d", ring_idx);
        |                             ^~~~
  .../bnxt_debugfs.c:69:9: note: 'snprintf' output between 2 and 12 bytes into a destination of size 10
     69 |         snprintf(qname, 10, "%d", ring_idx);
        |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Compile tested only

Signed-off-by: Simon Horman <horms@kernel.org>
---
v2: No change
---
 drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Michael Chan Aug. 13, 2024, 5:02 p.m. UTC | #1 
On Tue, Aug 13, 2024 at 7:33 AM Simon Horman <horms@kernel.org> wrote:
>
> Although it seems unlikely in practice - there would need to be
> rx ring indexes greater than 10^10 - it is theoretically possible
> for the filename of per rx ring debugfs files to be truncated.
>
> This is because although a 16 byte buffer is provided, the length
> of the filename is restricted to 10 bytes. Remove this restriction
> and allow the entire buffer to be used.
>
> Also reduce the buffer to 12 bytes, which is sufficient.
>
> Given that the range of rx ring indexes likely much smaller than the
> maximum range of a 32-bit signed integer, a smaller buffer could be
> used, with some further changes.  But this change seems simple, robust,
> and has minimal stack overhead.
>
> Flagged by gcc-14:
>
>   .../bnxt_debugfs.c: In function 'bnxt_debug_dev_init':
>   drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c:69:30: warning: '%d' directive output may be truncated writing between 1 and 11 bytes into a region of size 10 [-Wformat-truncation=]
>      69 |         snprintf(qname, 10, "%d", ring_idx);
>         |                              ^~
>   In function 'debugfs_dim_ring_init',
>       inlined from 'bnxt_debug_dev_init' at .../bnxt_debugfs.c:87:4:
>   .../bnxt_debugfs.c:69:29: note: directive argument in the range [-2147483643, 2147483646]
>      69 |         snprintf(qname, 10, "%d", ring_idx);
>         |                             ^~~~
>   .../bnxt_debugfs.c:69:9: note: 'snprintf' output between 2 and 12 bytes into a destination of size 10
>      69 |         snprintf(qname, 10, "%d", ring_idx);
>         |         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Compile tested only
>
> Signed-off-by: Simon Horman <horms@kernel.org>

Thanks.
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
diff mbox series

Patch

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c
index 156c2404854f..127b7015f676 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_debugfs.c
@@ -64,9 +64,9 @@  static const struct file_operations debugfs_dim_fops = {
 static void debugfs_dim_ring_init(struct dim *dim, int ring_idx,
 				  struct dentry *dd)
 {
-	static char qname[16];
+	static char qname[12];
 
-	snprintf(qname, 10, "%d", ring_idx);
+	snprintf(qname, sizeof(qname), "%d", ring_idx);
 	debugfs_create_file(qname, 0600, dd, dim, &debugfs_dim_fops);
 }