From 72e7375cafc12eaac17f774872fd24f4de1a5c07 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 11 Mar 2020 10:24:49 +0100 Subject: [PATCH] staging: rtl8188eu: Use scnprintf() for avoiding potential buffer overflow Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20200311092451.23933-2-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman --- drivers/staging/rtl8188eu/core/rtw_debug.c | 16 ++++++++-------- drivers/staging/rtl8188eu/os_dep/ioctl_linux.c | 4 ++-- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/drivers/staging/rtl8188eu/core/rtw_debug.c b/drivers/staging/rtl8188eu/core/rtw_debug.c index 6c2fe1a112ac..d0e41f2ef1ce 100644 --- a/drivers/staging/rtl8188eu/core/rtw_debug.c +++ b/drivers/staging/rtl8188eu/core/rtw_debug.c @@ -15,7 +15,7 @@ int proc_get_drv_version(char *page, char **start, { int len = 0; - len += snprintf(page + len, count - len, "%s\n", DRIVERVERSION); + len += scnprintf(page + len, count - len, "%s\n", DRIVERVERSION); *eof = 1; return len; @@ -86,16 +86,16 @@ int proc_get_read_reg(char *page, char **start, switch (proc_get_read_len) { case 1: - len += snprintf(page + len, count - len, "usb_read8(0x%x)=0x%x\n", proc_get_read_addr, usb_read8(padapter, proc_get_read_addr)); + len += scnprintf(page + len, count - len, "usb_read8(0x%x)=0x%x\n", proc_get_read_addr, usb_read8(padapter, proc_get_read_addr)); break; case 2: - len += snprintf(page + len, count - len, "usb_read16(0x%x)=0x%x\n", proc_get_read_addr, usb_read16(padapter, proc_get_read_addr)); + len += scnprintf(page + len, count - len, "usb_read16(0x%x)=0x%x\n", proc_get_read_addr, usb_read16(padapter, proc_get_read_addr)); break; case 4: - len += snprintf(page + len, count - len, "usb_read32(0x%x)=0x%x\n", proc_get_read_addr, usb_read32(padapter, proc_get_read_addr)); + len += scnprintf(page + len, count - len, "usb_read32(0x%x)=0x%x\n", proc_get_read_addr, usb_read32(padapter, proc_get_read_addr)); break; default: - len += snprintf(page + len, count - len, "error read length=%d\n", proc_get_read_len); + len += scnprintf(page + len, count - len, "error read length=%d\n", proc_get_read_len); break; } @@ -138,7 +138,7 @@ int proc_get_adapter_state(char *page, char **start, struct adapter *padapter = (struct adapter *)rtw_netdev_priv(dev); int len = 0; - len += snprintf(page + len, count - len, "bSurpriseRemoved=%d, bDriverStopped=%d\n", + len += scnprintf(page + len, count - len, "bSurpriseRemoved=%d, bDriverStopped=%d\n", padapter->bSurpriseRemoved, padapter->bDriverStopped); *eof = 1; @@ -170,11 +170,11 @@ int proc_get_best_channel(char *page, char **start, } /* debug */ - len += snprintf(page + len, count - len, "The rx cnt of channel %3d = %d\n", + len += scnprintf(page + len, count - len, "The rx cnt of channel %3d = %d\n", pmlmeext->channel_set[i].ChannelNum, pmlmeext->channel_set[i].rx_count); } - len += snprintf(page + len, count - len, "best_channel_24G = %d\n", best_channel_24G); + len += scnprintf(page + len, count - len, "best_channel_24G = %d\n", best_channel_24G); *eof = 1; return len; diff --git a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c index ba53959e1303..9a89791720e0 100644 --- a/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8188eu/os_dep/ioctl_linux.c @@ -193,12 +193,12 @@ static char *translate_scan(struct adapter *padapter, /*Add basic and extended rates */ max_rate = 0; p = custom; - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): "); + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): "); while (pnetwork->network.SupportedRates[i] != 0) { rate = pnetwork->network.SupportedRates[i]&0x7F; if (rate > max_rate) max_rate = rate; - p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), + p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), "%d%s ", rate >> 1, (rate & 1) ? ".5" : ""); i++; }