* [PATCH][next][V2] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
@ 2021-04-19 14:14 Colin King
2021-04-22 14:39 ` Kalle Valo
0 siblings, 1 reply; 2+ messages in thread
From: Colin King @ 2021-04-19 14:14 UTC (permalink / raw)
To: Kalle Valo, David S . Miller, Jakub Kicinski, Arnd Bergmann,
linux-wireless, netdev
Cc: kernel-janitors, linux-kernel
From: Colin Ian King <colin.king@canonical.com>
The size of the buffer than can be written to is currently incorrect, it is
always the size of the entire buffer even though the snprintf is writing
as position pos into the buffer. Fix this by setting the buffer size to be
the number of bytes left in the buffer, namely sizeof(buf) - pos.
Addresses-Coverity: ("Out-of-bounds access")
Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
---
V2: Fix patch subject
---
drivers/net/wireless/ti/wlcore/debugfs.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h
index 715edfa5f89f..a9e13e6d65c5 100644
--- a/drivers/net/wireless/ti/wlcore/debugfs.h
+++ b/drivers/net/wireless/ti/wlcore/debugfs.h
@@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file, \
wl1271_debugfs_update_stats(wl); \
\
for (i = 0; i < len && pos < sizeof(buf); i++) \
- pos += snprintf(buf + pos, sizeof(buf), \
+ pos += snprintf(buf + pos, sizeof(buf) - pos, \
"[%d] = %d\n", i, stats->sub.name[i]); \
\
return wl1271_format_buffer(userbuf, count, ppos, "%s", buf); \
--
2.30.2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH][next][V2] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
2021-04-19 14:14 [PATCH][next][V2] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size Colin King
@ 2021-04-22 14:39 ` Kalle Valo
0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2021-04-22 14:39 UTC (permalink / raw)
To: Colin King
Cc: David S . Miller, Jakub Kicinski, Arnd Bergmann, linux-wireless,
netdev, kernel-janitors, linux-kernel
Colin King <colin.king@canonical.com> wrote:
> From: Colin Ian King <colin.king@canonical.com>
>
> The size of the buffer than can be written to is currently incorrect, it is
> always the size of the entire buffer even though the snprintf is writing
> as position pos into the buffer. Fix this by setting the buffer size to be
> the number of bytes left in the buffer, namely sizeof(buf) - pos.
>
> Addresses-Coverity: ("Out-of-bounds access")
> Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs")
> Signed-off-by: Colin Ian King <colin.king@canonical.com>
> Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Patch applied to wireless-drivers-next.git, thanks.
a9a4c080deb3 wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
--
https://patchwork.kernel.org/project/linux-wireless/patch/20210419141405.180582-1-colin.king@canonical.com/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-22 14:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-19 14:14 [PATCH][next][V2] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size Colin King
2021-04-22 14:39 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.