From patchwork Wed Mar 11 08:47:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431143 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 898EC921 for ; Wed, 11 Mar 2020 08:47:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 72AF120637 for ; Wed, 11 Mar 2020 08:47:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728651AbgCKIrU (ORCPT ); Wed, 11 Mar 2020 04:47:20 -0400 Received: from mx2.suse.de ([195.135.220.15]:55828 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728242AbgCKIrU (ORCPT ); Wed, 11 Mar 2020 04:47:20 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 751C7ADDA; Wed, 11 Mar 2020 08:47:18 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , ath11k@lists.infradead.org Subject: [PATCH 1/7] ath11k: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:07 +0100 Message-Id: <20200311084713.18220-2-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: ath11k@lists.infradead.org Signed-off-by: Takashi Iwai --- drivers/net/wireless/ath/ath11k/debug_htt_stats.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/debug_htt_stats.c b/drivers/net/wireless/ath/ath11k/debug_htt_stats.c index 9939e909628f..f44dec839e70 100644 --- a/drivers/net/wireless/ath/ath11k/debug_htt_stats.c +++ b/drivers/net/wireless/ath/ath11k/debug_htt_stats.c @@ -22,7 +22,7 @@ do { \ int index = 0; u8 i; \ for (i = 0; i < len; i++) { \ - index += snprintf(out + index, HTT_MAX_STRING_LEN - index, \ + index += scnprintf(out + index, HTT_MAX_STRING_LEN - index, \ " %u:%u,", i, arr[i]); \ if (index < 0 || index >= HTT_MAX_STRING_LEN) \ break; \ @@ -46,7 +46,7 @@ static inline void htt_print_stats_string_tlv(const void *tag_buf, len += HTT_DBG_OUT(buf + len, buf_len - len, "HTT_STATS_STRING_TLV:"); for (i = 0; i < tag_len; i++) { - index += snprintf(&data[index], + index += scnprintf(&data[index], HTT_MAX_STRING_LEN - index, "%.*s", 4, (char *)&(htt_stats_buf->data[i])); if (index >= HTT_MAX_STRING_LEN) @@ -3097,7 +3097,7 @@ static inline void htt_print_rx_pdev_rate_stats_tlv(const void *tag_buf, index = 0; for (i = 0; i < HTT_RX_PDEV_STATS_RXEVM_MAX_PILOTS_PER_NSS; i++) - index += snprintf(&rx_pilot_evm_db[j][index], + index += scnprintf(&rx_pilot_evm_db[j][index], HTT_MAX_STRING_LEN - index, " %u:%d,", i, @@ -3109,7 +3109,7 @@ static inline void htt_print_rx_pdev_rate_stats_tlv(const void *tag_buf, index = 0; memset(str_buf, 0x0, HTT_MAX_STRING_LEN); for (i = 0; i < HTT_RX_PDEV_STATS_NUM_SPATIAL_STREAMS; i++) - index += snprintf(&str_buf[index], + index += scnprintf(&str_buf[index], HTT_MAX_STRING_LEN - index, " %u:%d,", i, htt_stats_buf->rx_pilot_evm_db_mean[i]); len += HTT_DBG_OUT(buf + len, buf_len - len, "pilot_evm_dB_mean = %s ", str_buf); @@ -3217,7 +3217,7 @@ static inline void htt_print_rx_pdev_rate_stats_tlv(const void *tag_buf, index = 0; memset(str_buf, 0x0, HTT_MAX_STRING_LEN); for (i = 0; i < HTT_RX_PDEV_MAX_OFDMA_NUM_USER; i++) - index += snprintf(&str_buf[index], + index += scnprintf(&str_buf[index], HTT_MAX_STRING_LEN - index, " %u:%d,", i, htt_stats_buf->rx_ul_fd_rssi[j][i]); @@ -3232,7 +3232,7 @@ static inline void htt_print_rx_pdev_rate_stats_tlv(const void *tag_buf, index = 0; memset(str_buf, 0x0, HTT_MAX_STRING_LEN); for (i = 0; i < HTT_RX_PDEV_STATS_NUM_BW_COUNTERS; i++) - index += snprintf(&str_buf[index], + index += scnprintf(&str_buf[index], HTT_MAX_STRING_LEN - index, " %u:%d,", i, From patchwork Wed Mar 11 08:47:08 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431149 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id E50E7138D for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B184120828 for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728732AbgCKIrW (ORCPT ); Wed, 11 Mar 2020 04:47:22 -0400 Received: from mx2.suse.de ([195.135.220.15]:55836 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728263AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 9D9B8AEC1; Wed, 11 Mar 2020 08:47:18 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Jiri Slaby , Nick Kossifidis , Luis Chamberlain Subject: [PATCH 2/7] ath5k: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:08 +0100 Message-Id: <20200311084713.18220-3-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Jiri Slaby Cc: Nick Kossifidis Cc: Luis Chamberlain Signed-off-by: Takashi Iwai --- drivers/net/wireless/ath/ath5k/debug.c | 174 ++++++++++++++++----------------- 1 file changed, 87 insertions(+), 87 deletions(-) diff --git a/drivers/net/wireless/ath/ath5k/debug.c b/drivers/net/wireless/ath/ath5k/debug.c index 94f70047d3fc..2eaba1ccab20 100644 --- a/drivers/net/wireless/ath/ath5k/debug.c +++ b/drivers/net/wireless/ath/ath5k/debug.c @@ -201,35 +201,35 @@ static ssize_t read_file_beacon(struct file *file, char __user *user_buf, u64 tsf; v = ath5k_hw_reg_read(ah, AR5K_BEACON); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n", "AR5K_BEACON", v, v & AR5K_BEACON_PERIOD, (v & AR5K_BEACON_TIM) >> AR5K_BEACON_TIM_S); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n", "AR5K_LAST_TSTP", ath5k_hw_reg_read(ah, AR5K_LAST_TSTP)); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\n\n", "AR5K_BEACON_CNT", ath5k_hw_reg_read(ah, AR5K_BEACON_CNT)); v = ath5k_hw_reg_read(ah, AR5K_TIMER0); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER0 (TBTT)", v, v); v = ath5k_hw_reg_read(ah, AR5K_TIMER1); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER1 (DMA)", v, v >> 3); v = ath5k_hw_reg_read(ah, AR5K_TIMER2); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER2 (SWBA)", v, v >> 3); v = ath5k_hw_reg_read(ah, AR5K_TIMER3); - len += snprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", + len += scnprintf(buf + len, sizeof(buf) - len, "%-24s0x%08x\tTU: %08x\n", "AR5K_TIMER3 (ATIM)", v, v); tsf = ath5k_hw_get_tsf64(ah); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "TSF\t\t0x%016llx\tTU: %08x\n", (unsigned long long)tsf, TSF_TO_TU(tsf)); @@ -320,16 +320,16 @@ static ssize_t read_file_debug(struct file *file, char __user *user_buf, unsigned int len = 0; unsigned int i; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "DEBUG LEVEL: 0x%08x\n\n", ah->debug.level); for (i = 0; i < ARRAY_SIZE(dbg_info) - 1; i++) { - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%10s %c 0x%08x - %s\n", dbg_info[i].name, ah->debug.level & dbg_info[i].level ? '+' : ' ', dbg_info[i].level, dbg_info[i].desc); } - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%10s %c 0x%08x - %s\n", dbg_info[i].name, ah->debug.level == dbg_info[i].level ? '+' : ' ', dbg_info[i].level, dbg_info[i].desc); @@ -383,60 +383,60 @@ static ssize_t read_file_antenna(struct file *file, char __user *user_buf, unsigned int i; unsigned int v; - len += snprintf(buf + len, sizeof(buf) - len, "antenna mode\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "antenna mode\t%d\n", ah->ah_ant_mode); - len += snprintf(buf + len, sizeof(buf) - len, "default antenna\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "default antenna\t%d\n", ah->ah_def_ant); - len += snprintf(buf + len, sizeof(buf) - len, "tx antenna\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "tx antenna\t%d\n", ah->ah_tx_ant); - len += snprintf(buf + len, sizeof(buf) - len, "\nANTENNA\t\tRX\tTX\n"); + len += scnprintf(buf + len, sizeof(buf) - len, "\nANTENNA\t\tRX\tTX\n"); for (i = 1; i < ARRAY_SIZE(ah->stats.antenna_rx); i++) { - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "[antenna %d]\t%d\t%d\n", i, ah->stats.antenna_rx[i], ah->stats.antenna_tx[i]); } - len += snprintf(buf + len, sizeof(buf) - len, "[invalid]\t%d\t%d\n", + len += scnprintf(buf + len, sizeof(buf) - len, "[invalid]\t%d\t%d\n", ah->stats.antenna_rx[0], ah->stats.antenna_tx[0]); v = ath5k_hw_reg_read(ah, AR5K_DEFAULT_ANTENNA); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nAR5K_DEFAULT_ANTENNA\t0x%08x\n", v); v = ath5k_hw_reg_read(ah, AR5K_STA_ID1); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_DEFAULT_ANTENNA\t%d\n", (v & AR5K_STA_ID1_DEFAULT_ANTENNA) != 0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_DESC_ANTENNA\t%d\n", (v & AR5K_STA_ID1_DESC_ANTENNA) != 0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_RTS_DEF_ANTENNA\t%d\n", (v & AR5K_STA_ID1_RTS_DEF_ANTENNA) != 0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_STA_ID1_SELFGEN_DEF_ANT\t%d\n", (v & AR5K_STA_ID1_SELFGEN_DEF_ANT) != 0); v = ath5k_hw_reg_read(ah, AR5K_PHY_AGCCTL); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nAR5K_PHY_AGCCTL_OFDM_DIV_DIS\t%d\n", (v & AR5K_PHY_AGCCTL_OFDM_DIV_DIS) != 0); v = ath5k_hw_reg_read(ah, AR5K_PHY_RESTART); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHY_RESTART_DIV_GC\t\t%x\n", (v & AR5K_PHY_RESTART_DIV_GC) >> AR5K_PHY_RESTART_DIV_GC_S); v = ath5k_hw_reg_read(ah, AR5K_PHY_FAST_ANT_DIV); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHY_FAST_ANT_DIV_EN\t%d\n", (v & AR5K_PHY_FAST_ANT_DIV_EN) != 0); v = ath5k_hw_reg_read(ah, AR5K_PHY_ANT_SWITCH_TABLE_0); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nAR5K_PHY_ANT_SWITCH_TABLE_0\t0x%08x\n", v); v = ath5k_hw_reg_read(ah, AR5K_PHY_ANT_SWITCH_TABLE_1); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHY_ANT_SWITCH_TABLE_1\t0x%08x\n", v); if (len > sizeof(buf)) @@ -495,36 +495,36 @@ static ssize_t read_file_misc(struct file *file, char __user *user_buf, unsigned int len = 0; u32 filt = ath5k_hw_get_rx_filter(ah); - len += snprintf(buf + len, sizeof(buf) - len, "bssid-mask: %pM\n", + len += scnprintf(buf + len, sizeof(buf) - len, "bssid-mask: %pM\n", ah->bssidmask); - len += snprintf(buf + len, sizeof(buf) - len, "filter-flags: 0x%x ", + len += scnprintf(buf + len, sizeof(buf) - len, "filter-flags: 0x%x ", filt); if (filt & AR5K_RX_FILTER_UCAST) - len += snprintf(buf + len, sizeof(buf) - len, " UCAST"); + len += scnprintf(buf + len, sizeof(buf) - len, " UCAST"); if (filt & AR5K_RX_FILTER_MCAST) - len += snprintf(buf + len, sizeof(buf) - len, " MCAST"); + len += scnprintf(buf + len, sizeof(buf) - len, " MCAST"); if (filt & AR5K_RX_FILTER_BCAST) - len += snprintf(buf + len, sizeof(buf) - len, " BCAST"); + len += scnprintf(buf + len, sizeof(buf) - len, " BCAST"); if (filt & AR5K_RX_FILTER_CONTROL) - len += snprintf(buf + len, sizeof(buf) - len, " CONTROL"); + len += scnprintf(buf + len, sizeof(buf) - len, " CONTROL"); if (filt & AR5K_RX_FILTER_BEACON) - len += snprintf(buf + len, sizeof(buf) - len, " BEACON"); + len += scnprintf(buf + len, sizeof(buf) - len, " BEACON"); if (filt & AR5K_RX_FILTER_PROM) - len += snprintf(buf + len, sizeof(buf) - len, " PROM"); + len += scnprintf(buf + len, sizeof(buf) - len, " PROM"); if (filt & AR5K_RX_FILTER_XRPOLL) - len += snprintf(buf + len, sizeof(buf) - len, " XRPOLL"); + len += scnprintf(buf + len, sizeof(buf) - len, " XRPOLL"); if (filt & AR5K_RX_FILTER_PROBEREQ) - len += snprintf(buf + len, sizeof(buf) - len, " PROBEREQ"); + len += scnprintf(buf + len, sizeof(buf) - len, " PROBEREQ"); if (filt & AR5K_RX_FILTER_PHYERR_5212) - len += snprintf(buf + len, sizeof(buf) - len, " PHYERR-5212"); + len += scnprintf(buf + len, sizeof(buf) - len, " PHYERR-5212"); if (filt & AR5K_RX_FILTER_RADARERR_5212) - len += snprintf(buf + len, sizeof(buf) - len, " RADARERR-5212"); + len += scnprintf(buf + len, sizeof(buf) - len, " RADARERR-5212"); if (filt & AR5K_RX_FILTER_PHYERR_5211) snprintf(buf + len, sizeof(buf) - len, " PHYERR-5211"); if (filt & AR5K_RX_FILTER_RADARERR_5211) - len += snprintf(buf + len, sizeof(buf) - len, " RADARERR-5211"); + len += scnprintf(buf + len, sizeof(buf) - len, " RADARERR-5211"); - len += snprintf(buf + len, sizeof(buf) - len, "\nopmode: %s (%d)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "\nopmode: %s (%d)\n", ath_opmode_to_string(ah->opmode), ah->opmode); if (len > sizeof(buf)) @@ -551,65 +551,65 @@ static ssize_t read_file_frameerrors(struct file *file, char __user *user_buf, unsigned int len = 0; int i; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "RX\n---------------------\n"); - len += snprintf(buf + len, sizeof(buf) - len, "CRC\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "CRC\t%u\t(%u%%)\n", st->rxerr_crc, st->rx_all_count > 0 ? st->rxerr_crc * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "PHY\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "PHY\t%u\t(%u%%)\n", st->rxerr_phy, st->rx_all_count > 0 ? st->rxerr_phy * 100 / st->rx_all_count : 0); for (i = 0; i < 32; i++) { if (st->rxerr_phy_code[i]) - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " phy_err[%u]\t%u\n", i, st->rxerr_phy_code[i]); } - len += snprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", st->rxerr_fifo, st->rx_all_count > 0 ? st->rxerr_fifo * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "decrypt\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "decrypt\t%u\t(%u%%)\n", st->rxerr_decrypt, st->rx_all_count > 0 ? st->rxerr_decrypt * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "MIC\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "MIC\t%u\t(%u%%)\n", st->rxerr_mic, st->rx_all_count > 0 ? st->rxerr_mic * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "process\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "process\t%u\t(%u%%)\n", st->rxerr_proc, st->rx_all_count > 0 ? st->rxerr_proc * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "jumbo\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "jumbo\t%u\t(%u%%)\n", st->rxerr_jumbo, st->rx_all_count > 0 ? st->rxerr_jumbo * 100 / st->rx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "[RX all\t%u]\n", + len += scnprintf(buf + len, sizeof(buf) - len, "[RX all\t%u]\n", st->rx_all_count); - len += snprintf(buf + len, sizeof(buf) - len, "RX-all-bytes\t%u\n", + len += scnprintf(buf + len, sizeof(buf) - len, "RX-all-bytes\t%u\n", st->rx_bytes_count); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nTX\n---------------------\n"); - len += snprintf(buf + len, sizeof(buf) - len, "retry\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "retry\t%u\t(%u%%)\n", st->txerr_retry, st->tx_all_count > 0 ? st->txerr_retry * 100 / st->tx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "FIFO\t%u\t(%u%%)\n", st->txerr_fifo, st->tx_all_count > 0 ? st->txerr_fifo * 100 / st->tx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "filter\t%u\t(%u%%)\n", + len += scnprintf(buf + len, sizeof(buf) - len, "filter\t%u\t(%u%%)\n", st->txerr_filt, st->tx_all_count > 0 ? st->txerr_filt * 100 / st->tx_all_count : 0); - len += snprintf(buf + len, sizeof(buf) - len, "[TX all\t%u]\n", + len += scnprintf(buf + len, sizeof(buf) - len, "[TX all\t%u]\n", st->tx_all_count); - len += snprintf(buf + len, sizeof(buf) - len, "TX-all-bytes\t%u\n", + len += scnprintf(buf + len, sizeof(buf) - len, "TX-all-bytes\t%u\n", st->tx_bytes_count); if (len > sizeof(buf)) @@ -670,56 +670,56 @@ static ssize_t read_file_ani(struct file *file, char __user *user_buf, char buf[700]; unsigned int len = 0; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "HW has PHY error counters:\t%s\n", ah->ah_capabilities.cap_has_phyerr_counters ? "yes" : "no"); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "HW max spur immunity level:\t%d\n", as->max_spur_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nANI state\n--------------------------------------------\n"); - len += snprintf(buf + len, sizeof(buf) - len, "operating mode:\t\t\t"); + len += scnprintf(buf + len, sizeof(buf) - len, "operating mode:\t\t\t"); switch (as->ani_mode) { case ATH5K_ANI_MODE_OFF: - len += snprintf(buf + len, sizeof(buf) - len, "OFF\n"); + len += scnprintf(buf + len, sizeof(buf) - len, "OFF\n"); break; case ATH5K_ANI_MODE_MANUAL_LOW: - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "MANUAL LOW\n"); break; case ATH5K_ANI_MODE_MANUAL_HIGH: - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "MANUAL HIGH\n"); break; case ATH5K_ANI_MODE_AUTO: - len += snprintf(buf + len, sizeof(buf) - len, "AUTO\n"); + len += scnprintf(buf + len, sizeof(buf) - len, "AUTO\n"); break; default: - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "??? (not good)\n"); break; } - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "noise immunity level:\t\t%d\n", as->noise_imm_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "spur immunity level:\t\t%d\n", as->spur_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "firstep level:\t\t\t%d\n", as->firstep_level); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "OFDM weak signal detection:\t%s\n", as->ofdm_weak_sig ? "on" : "off"); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "CCK weak signal detection:\t%s\n", as->cck_weak_sig ? "on" : "off"); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "\nMIB INTERRUPTS:\t\t%u\n", st->mib_intr); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "beacon RSSI average:\t%d\n", (int)ewma_beacon_rssi_read(&ah->ah_beacon_rssi_avg)); @@ -728,35 +728,35 @@ static ssize_t read_file_ani(struct file *file, char __user *user_buf, _struct.cycles > 0 ? \ _struct._field * 100 / _struct.cycles : 0 - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt tx\t\t%u\t(%d%%)\n", CC_PRINT(as->last_cc, tx_frame)); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt rx\t\t%u\t(%d%%)\n", CC_PRINT(as->last_cc, rx_frame)); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt busy\t\t%u\t(%d%%)\n", CC_PRINT(as->last_cc, rx_busy)); #undef CC_PRINT - len += snprintf(buf + len, sizeof(buf) - len, "profcnt cycles\t\t%u\n", + len += scnprintf(buf + len, sizeof(buf) - len, "profcnt cycles\t\t%u\n", as->last_cc.cycles); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "listen time\t\t%d\tlast: %d\n", as->listen_time, as->last_listen); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "OFDM errors\t\t%u\tlast: %u\tsum: %u\n", as->ofdm_errors, as->last_ofdm_errors, as->sum_ofdm_errors); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "CCK errors\t\t%u\tlast: %u\tsum: %u\n", as->cck_errors, as->last_cck_errors, as->sum_cck_errors); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHYERR_CNT1\t%x\t(=%d)\n", ath5k_hw_reg_read(ah, AR5K_PHYERR_CNT1), ATH5K_ANI_OFDM_TRIG_HIGH - (ATH5K_PHYERR_CNT_MAX - ath5k_hw_reg_read(ah, AR5K_PHYERR_CNT1))); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "AR5K_PHYERR_CNT2\t%x\t(=%d)\n", ath5k_hw_reg_read(ah, AR5K_PHYERR_CNT2), ATH5K_ANI_CCK_TRIG_HIGH - (ATH5K_PHYERR_CNT_MAX - @@ -836,13 +836,13 @@ static ssize_t read_file_queue(struct file *file, char __user *user_buf, struct ath5k_buf *bf, *bf0; int i, n; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "available txbuffers: %d\n", ah->txbuf_len); for (i = 0; i < ARRAY_SIZE(ah->txqs); i++) { txq = &ah->txqs[i]; - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, "%02d: %ssetup\n", i, txq->setup ? "" : "not "); if (!txq->setup) @@ -854,9 +854,9 @@ static ssize_t read_file_queue(struct file *file, char __user *user_buf, n++; spin_unlock_bh(&txq->lock); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " len: %d bufs: %d\n", txq->txq_len, n); - len += snprintf(buf + len, sizeof(buf) - len, + len += scnprintf(buf + len, sizeof(buf) - len, " stuck: %d\n", txq->txq_stuck); } From patchwork Wed Mar 11 08:47:09 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431145 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CEFF51874 for ; Wed, 11 Mar 2020 08:47:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B89C320828 for ; Wed, 11 Mar 2020 08:47:21 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728725AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 Received: from mx2.suse.de ([195.135.220.15]:55850 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728514AbgCKIrU (ORCPT ); Wed, 11 Mar 2020 04:47:20 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id D0209AF2F; Wed, 11 Mar 2020 08:47:18 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Christian Lamparter Subject: [PATCH 3/7] carl9170: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:09 +0100 Message-Id: <20200311084713.18220-4-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Christian Lamparter Signed-off-by: Takashi Iwai --- drivers/net/wireless/ath/carl9170/debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/debug.c b/drivers/net/wireless/ath/carl9170/debug.c index a9b6dc17e408..19009aafc4e1 100644 --- a/drivers/net/wireless/ath/carl9170/debug.c +++ b/drivers/net/wireless/ath/carl9170/debug.c @@ -45,7 +45,7 @@ #include "cmd.h" #define ADD(buf, off, max, fmt, args...) \ - off += snprintf(&buf[off], max - off, fmt, ##args); + off += scnprintf(&buf[off], max - off, fmt, ##args); struct carl9170_debugfs_fops { From patchwork Wed Mar 11 08:47:10 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431141 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE98D1874 for ; Wed, 11 Mar 2020 08:47:20 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C8AF820873 for ; Wed, 11 Mar 2020 08:47:20 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728669AbgCKIrU (ORCPT ); Wed, 11 Mar 2020 04:47:20 -0400 Received: from mx2.suse.de ([195.135.220.15]:55858 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728547AbgCKIrU (ORCPT ); Wed, 11 Mar 2020 04:47:20 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id DD438AF33; Wed, 11 Mar 2020 08:47:18 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , b43-dev@lists.infradead.org Subject: [PATCH 4/7] b43: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:10 +0100 Message-Id: <20200311084713.18220-5-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: b43-dev@lists.infradead.org Signed-off-by: Takashi Iwai --- drivers/net/wireless/broadcom/b43/debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/b43/debugfs.c b/drivers/net/wireless/broadcom/b43/debugfs.c index 1325727a74ed..dc1819ca52ac 100644 --- a/drivers/net/wireless/broadcom/b43/debugfs.c +++ b/drivers/net/wireless/broadcom/b43/debugfs.c @@ -51,7 +51,7 @@ struct b43_dfs_file *fops_to_dfs_file(struct b43_wldev *dev, #define fappend(fmt, x...) \ do { \ if (bufsize - count) \ - count += snprintf(buf + count, \ + count += scnprintf(buf + count, \ bufsize - count, \ fmt , ##x); \ else \ From patchwork Wed Mar 11 08:47:11 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431151 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id F19AA921 for ; Wed, 11 Mar 2020 08:47:23 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id DA98B20828 for ; Wed, 11 Mar 2020 08:47:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728738AbgCKIrX (ORCPT ); Wed, 11 Mar 2020 04:47:23 -0400 Received: from mx2.suse.de ([195.135.220.15]:55898 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728705AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 486ECAF68; Wed, 11 Mar 2020 08:47:19 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Larry Finger , b43-dev@lists.infradead.org Subject: [PATCH 5/7] b43legacy: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:11 +0100 Message-Id: <20200311084713.18220-6-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Larry Finger Cc: b43-dev@lists.infradead.org Signed-off-by: Takashi Iwai --- drivers/net/wireless/broadcom/b43legacy/debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/broadcom/b43legacy/debugfs.c b/drivers/net/wireless/broadcom/b43legacy/debugfs.c index 082aab8353b8..fa133dfb2ecb 100644 --- a/drivers/net/wireless/broadcom/b43legacy/debugfs.c +++ b/drivers/net/wireless/broadcom/b43legacy/debugfs.c @@ -54,7 +54,7 @@ struct b43legacy_dfs_file * fops_to_dfs_file(struct b43legacy_wldev *dev, #define fappend(fmt, x...) \ do { \ if (bufsize - count) \ - count += snprintf(buf + count, \ + count += scnprintf(buf + count, \ bufsize - count, \ fmt , ##x); \ else \ From patchwork Wed Mar 11 08:47:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431153 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6BD0C1874 for ; Wed, 11 Mar 2020 08:47:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 4B61120828 for ; Wed, 11 Mar 2020 08:47:24 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728736AbgCKIrX (ORCPT ); Wed, 11 Mar 2020 04:47:23 -0400 Received: from mx2.suse.de ([195.135.220.15]:55896 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728547AbgCKIrX (ORCPT ); Wed, 11 Mar 2020 04:47:23 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 58F60AF72; Wed, 11 Mar 2020 08:47:19 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Stanislav Yakovlev Subject: [PATCH 6/7] ipw2x00: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:12 +0100 Message-Id: <20200311084713.18220-7-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Stanislav Yakovlev Signed-off-by: Takashi Iwai --- drivers/net/wireless/intel/ipw2x00/ipw2100.c | 16 ++++----- drivers/net/wireless/intel/ipw2x00/ipw2200.c | 48 +++++++++++++------------- drivers/net/wireless/intel/ipw2x00/libipw_rx.c | 4 +-- drivers/net/wireless/intel/ipw2x00/libipw_wx.c | 8 ++--- 4 files changed, 38 insertions(+), 38 deletions(-) diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2100.c b/drivers/net/wireless/intel/ipw2x00/ipw2100.c index 5dfcce77d094..97ea6e2035e6 100644 --- a/drivers/net/wireless/intel/ipw2x00/ipw2100.c +++ b/drivers/net/wireless/intel/ipw2x00/ipw2100.c @@ -629,30 +629,30 @@ static char *snprint_line(char *buf, size_t count, int out, i, j, l; char c; - out = snprintf(buf, count, "%08X", ofs); + out = scnprintf(buf, count, "%08X", ofs); for (l = 0, i = 0; i < 2; i++) { - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); for (j = 0; j < 8 && l < len; j++, l++) - out += snprintf(buf + out, count - out, "%02X ", + out += scnprintf(buf + out, count - out, "%02X ", data[(i * 8 + j)]); for (; j < 8; j++) - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); } - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); for (l = 0, i = 0; i < 2; i++) { - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); for (j = 0; j < 8 && l < len; j++, l++) { c = data[(i * 8 + j)]; if (!isascii(c) || !isprint(c)) c = '.'; - out += snprintf(buf + out, count - out, "%c", c); + out += scnprintf(buf + out, count - out, "%c", c); } for (; j < 8; j++) - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); } return buf; diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c index 5ef6f87a48ac..60b5e08dd6df 100644 --- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c +++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c @@ -223,30 +223,30 @@ static int snprint_line(char *buf, size_t count, int out, i, j, l; char c; - out = snprintf(buf, count, "%08X", ofs); + out = scnprintf(buf, count, "%08X", ofs); for (l = 0, i = 0; i < 2; i++) { - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); for (j = 0; j < 8 && l < len; j++, l++) - out += snprintf(buf + out, count - out, "%02X ", + out += scnprintf(buf + out, count - out, "%02X ", data[(i * 8 + j)]); for (; j < 8; j++) - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); } - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); for (l = 0, i = 0; i < 2; i++) { - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); for (j = 0; j < 8 && l < len; j++, l++) { c = data[(i * 8 + j)]; if (!isascii(c) || !isprint(c)) c = '.'; - out += snprintf(buf + out, count - out, "%c", c); + out += scnprintf(buf + out, count - out, "%c", c); } for (; j < 8; j++) - out += snprintf(buf + out, count - out, " "); + out += scnprintf(buf + out, count - out, " "); } return out; @@ -1279,12 +1279,12 @@ static ssize_t show_event_log(struct device *d, log_len = log_size / sizeof(*log); ipw_capture_event_log(priv, log_len, log); - len += snprintf(buf + len, PAGE_SIZE - len, "%08X", log_len); + len += scnprintf(buf + len, PAGE_SIZE - len, "%08X", log_len); for (i = 0; i < log_len; i++) - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "\n%08X%08X%08X", log[i].time, log[i].event, log[i].data); - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); kfree(log); return len; } @@ -1298,13 +1298,13 @@ static ssize_t show_error(struct device *d, u32 len = 0, i; if (!priv->error) return 0; - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "%08lX%08X%08X%08X", priv->error->jiffies, priv->error->status, priv->error->config, priv->error->elem_len); for (i = 0; i < priv->error->elem_len; i++) - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "\n%08X%08X%08X%08X%08X%08X%08X", priv->error->elem[i].time, priv->error->elem[i].desc, @@ -1314,15 +1314,15 @@ static ssize_t show_error(struct device *d, priv->error->elem[i].link2, priv->error->elem[i].data); - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "\n%08X", priv->error->log_len); for (i = 0; i < priv->error->log_len; i++) - len += snprintf(buf + len, PAGE_SIZE - len, + len += scnprintf(buf + len, PAGE_SIZE - len, "\n%08X%08X%08X", priv->error->log[i].time, priv->error->log[i].event, priv->error->log[i].data); - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); return len; } @@ -1350,7 +1350,7 @@ static ssize_t show_cmd_log(struct device *d, (i != priv->cmdlog_pos) && (len < PAGE_SIZE); i = (i + 1) % priv->cmdlog_len) { len += - snprintf(buf + len, PAGE_SIZE - len, + scnprintf(buf + len, PAGE_SIZE - len, "\n%08lX%08X%08X%08X\n", priv->cmdlog[i].jiffies, priv->cmdlog[i].retcode, priv->cmdlog[i].cmd.cmd, priv->cmdlog[i].cmd.len); @@ -1358,9 +1358,9 @@ static ssize_t show_cmd_log(struct device *d, snprintk_buf(buf + len, PAGE_SIZE - len, (u8 *) priv->cmdlog[i].cmd.param, priv->cmdlog[i].cmd.len); - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); } - len += snprintf(buf + len, PAGE_SIZE - len, "\n"); + len += scnprintf(buf + len, PAGE_SIZE - len, "\n"); return len; } @@ -9608,24 +9608,24 @@ static int ipw_wx_get_powermode(struct net_device *dev, int level = IPW_POWER_LEVEL(priv->power_mode); char *p = extra; - p += snprintf(p, MAX_WX_STRING, "Power save level: %d ", level); + p += scnprintf(p, MAX_WX_STRING, "Power save level: %d ", level); switch (level) { case IPW_POWER_AC: - p += snprintf(p, MAX_WX_STRING - (p - extra), "(AC)"); + p += scnprintf(p, MAX_WX_STRING - (p - extra), "(AC)"); break; case IPW_POWER_BATTERY: - p += snprintf(p, MAX_WX_STRING - (p - extra), "(BATTERY)"); + p += scnprintf(p, MAX_WX_STRING - (p - extra), "(BATTERY)"); break; default: - p += snprintf(p, MAX_WX_STRING - (p - extra), + p += scnprintf(p, MAX_WX_STRING - (p - extra), "(Timeout %dms, Period %dms)", timeout_duration[level - 1] / 1000, period_duration[level - 1] / 1000); } if (!(priv->power_mode & IPW_POWER_ENABLED)) - p += snprintf(p, MAX_WX_STRING - (p - extra), " OFF"); + p += scnprintf(p, MAX_WX_STRING - (p - extra), " OFF"); wrqu->data.length = p - extra + 1; diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c index 0cb36d1b983a..5a2a723e480b 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw_rx.c +++ b/drivers/net/wireless/intel/ipw2x00/libipw_rx.c @@ -1156,7 +1156,7 @@ static int libipw_parse_info_param(struct libipw_info_element for (i = 0; i < network->rates_len; i++) { network->rates[i] = info_element->data[i]; #ifdef CONFIG_LIBIPW_DEBUG - p += snprintf(p, sizeof(rates_str) - + p += scnprintf(p, sizeof(rates_str) - (p - rates_str), "%02X ", network->rates[i]); #endif @@ -1183,7 +1183,7 @@ static int libipw_parse_info_param(struct libipw_info_element for (i = 0; i < network->rates_ex_len; i++) { network->rates_ex[i] = info_element->data[i]; #ifdef CONFIG_LIBIPW_DEBUG - p += snprintf(p, sizeof(rates_str) - + p += scnprintf(p, sizeof(rates_str) - (p - rates_str), "%02X ", network->rates_ex[i]); #endif diff --git a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c index 3d558b47168b..a0cf78c418ac 100644 --- a/drivers/net/wireless/intel/ipw2x00/libipw_wx.c +++ b/drivers/net/wireless/intel/ipw2x00/libipw_wx.c @@ -213,7 +213,7 @@ static char *libipw_translate_scan(struct libipw_device *ieee, * for given network. */ iwe.cmd = IWEVCUSTOM; p = custom; - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), " Last beacon: %ums ago", elapsed_jiffies_msecs(network->last_scanned)); iwe.u.data.length = p - custom; @@ -223,18 +223,18 @@ static char *libipw_translate_scan(struct libipw_device *ieee, /* Add spectrum management information */ iwe.cmd = -1; p = custom; - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Channel flags: "); + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), " Channel flags: "); if (libipw_get_channel_flags(ieee, network->channel) & LIBIPW_CH_INVALID) { iwe.cmd = IWEVCUSTOM; - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), "INVALID "); + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), "INVALID "); } if (libipw_get_channel_flags(ieee, network->channel) & LIBIPW_CH_RADAR_DETECT) { iwe.cmd = IWEVCUSTOM; - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), "DFS "); + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), "DFS "); } if (iwe.cmd == IWEVCUSTOM) { From patchwork Wed Mar 11 08:47:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Takashi Iwai X-Patchwork-Id: 11431147 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5BF4C921 for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 45F4E20828 for ; Wed, 11 Mar 2020 08:47:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728727AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 Received: from mx2.suse.de ([195.135.220.15]:55894 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728688AbgCKIrV (ORCPT ); Wed, 11 Mar 2020 04:47:21 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.220.254]) by mx2.suse.de (Postfix) with ESMTP id 6858DAF8E; Wed, 11 Mar 2020 08:47:19 +0000 (UTC) From: Takashi Iwai To: linux-wireless@vger.kernel.org Cc: Kalle Valo , Luis Chamberlain Subject: [PATCH 7/7] prism54: Use scnprintf() for avoiding potential buffer overflow Date: Wed, 11 Mar 2020 09:47:13 +0100 Message-Id: <20200311084713.18220-8-tiwai@suse.de> X-Mailer: git-send-email 2.16.4 In-Reply-To: <20200311084713.18220-1-tiwai@suse.de> References: <20200311084713.18220-1-tiwai@suse.de> Sender: linux-wireless-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Luis Chamberlain Signed-off-by: Takashi Iwai --- drivers/net/wireless/intersil/prism54/oid_mgt.c | 34 ++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/drivers/net/wireless/intersil/prism54/oid_mgt.c b/drivers/net/wireless/intersil/prism54/oid_mgt.c index 5705ad925a51..9fd307ca4b6d 100644 --- a/drivers/net/wireless/intersil/prism54/oid_mgt.c +++ b/drivers/net/wireless/intersil/prism54/oid_mgt.c @@ -780,17 +780,17 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) { switch (isl_oid[n].flags & OID_FLAG_TYPE) { case OID_TYPE_U32: - return snprintf(str, PRIV_STR_SIZE, "%u\n", r->u); + return scnprintf(str, PRIV_STR_SIZE, "%u\n", r->u); case OID_TYPE_BUFFER:{ struct obj_buffer *buff = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "size=%u\naddr=0x%X\n", buff->size, buff->addr); } break; case OID_TYPE_BSS:{ struct obj_bss *bss = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "age=%u\nchannel=%u\n" "capinfo=0x%X\nrates=0x%X\n" "basic_rates=0x%X\n", bss->age, @@ -801,9 +801,9 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_BSSLIST:{ struct obj_bsslist *list = r->ptr; int i, k; - k = snprintf(str, PRIV_STR_SIZE, "nr=%u\n", list->nr); + k = scnprintf(str, PRIV_STR_SIZE, "nr=%u\n", list->nr); for (i = 0; i < list->nr; i++) - k += snprintf(str + k, PRIV_STR_SIZE - k, + k += scnprintf(str + k, PRIV_STR_SIZE - k, "bss[%u] :\nage=%u\nchannel=%u\n" "capinfo=0x%X\nrates=0x%X\n" "basic_rates=0x%X\n", @@ -819,23 +819,23 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) struct obj_frequencies *freq = r->ptr; int i, t; printk("nr : %u\n", freq->nr); - t = snprintf(str, PRIV_STR_SIZE, "nr=%u\n", freq->nr); + t = scnprintf(str, PRIV_STR_SIZE, "nr=%u\n", freq->nr); for (i = 0; i < freq->nr; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "mhz[%u]=%u\n", i, freq->mhz[i]); return t; } break; case OID_TYPE_MLME:{ struct obj_mlme *mlme = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=0x%X\nstate=0x%X\ncode=0x%X\n", mlme->id, mlme->state, mlme->code); } break; case OID_TYPE_MLMEEX:{ struct obj_mlmeex *mlme = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=0x%X\nstate=0x%X\n" "code=0x%X\nsize=0x%X\n", mlme->id, mlme->state, mlme->code, mlme->size); @@ -843,7 +843,7 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) break; case OID_TYPE_ATTACH:{ struct obj_attachment *attach = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=%d\nsize=%d\n", attach->id, attach->size); @@ -851,7 +851,7 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) break; case OID_TYPE_SSID:{ struct obj_ssid *ssid = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "length=%u\noctets=%.*s\n", ssid->length, ssid->length, ssid->octets); @@ -860,13 +860,13 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_KEY:{ struct obj_key *key = r->ptr; int t, i; - t = snprintf(str, PRIV_STR_SIZE, + t = scnprintf(str, PRIV_STR_SIZE, "type=0x%X\nlength=0x%X\nkey=0x", key->type, key->length); for (i = 0; i < key->length; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "%02X:", key->key[i]); - t += snprintf(str + t, PRIV_STR_SIZE - t, "\n"); + t += scnprintf(str + t, PRIV_STR_SIZE - t, "\n"); return t; } break; @@ -874,11 +874,11 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_ADDR:{ unsigned char *buff = r->ptr; int t, i; - t = snprintf(str, PRIV_STR_SIZE, "hex data="); + t = scnprintf(str, PRIV_STR_SIZE, "hex data="); for (i = 0; i < isl_oid[n].size; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "%02X:", buff[i]); - t += snprintf(str + t, PRIV_STR_SIZE - t, "\n"); + t += scnprintf(str + t, PRIV_STR_SIZE - t, "\n"); return t; } break;