From: Joe Perches <joe@perches.com>
To: Salah Triki <salah.triki@gmail.com>
Cc: dan.j.williams@intel.com, vishal.l.verma@intel.com,
dave.jiang@intel.com, nvdimm@lists.linux.dev,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH] dax: replace sprintf() by scnprintf()
Date: Mon, 12 Jul 2021 09:14:53 -0700 [thread overview]
Message-ID: <6fe3c15d985017ad4e7a266bcf214a711326f151.camel@perches.com> (raw)
In-Reply-To: <20210712122624.GB777994@pc>
On Mon, 2021-07-12 at 13:26 +0100, Salah Triki wrote:
> On Sat, Jul 10, 2021 at 10:04:48AM -0700, Joe Perches wrote:
> > On Sat, 2021-07-10 at 17:46 +0100, Salah Triki wrote:
> > > Replace sprintf() by scnprintf() in order to avoid buffer overflows.
> >
> > OK but also not strictly necessary. DAX_NAME_LEN is 30.
> >
> > Are you finding and changing these manually or with a script?
> >
> > > diff --git a/drivers/dax/bus.c b/drivers/dax/bus.c
> > []
> > > @@ -76,7 +76,7 @@ static ssize_t do_id_store(struct device_driver *drv, const char *buf,
> > > fields = sscanf(buf, "dax%d.%d", ®ion_id, &id);
> > > if (fields != 2)
> > > return -EINVAL;
> > > - sprintf(devname, "dax%d.%d", region_id, id);
> > > + scnprintf(devname, DAX_NAME_LEN, "dax%d.%d", region_id, id);
> > > if (!sysfs_streq(buf, devname))
> > > return -EINVAL;
> > >
> > >
> >
> >
>
> since region_id and id are unsigned long may be devname should be
> char[21].
I think you need to look at the code a bit more carefully.
unsigned int region_id, id;
Also the output is %d, so the maximum length of each output
int is 10 with a possible leading minus sign.
3 + 10 + 1 + 10 + 1. So 25 not 21 which is too small.
The %d uses could be changed to %u to make it 23.
But really it hardly matters as 30 is sufficent and the
function call depth here isn't particularly high.
> I'm finding and changing these manually.
coccinelle could help.
https://coccinelle.gitlabpages.inria.fr/website/
next prev parent reply other threads:[~2021-07-12 19:53 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-10 16:46 [PATCH] dax: replace sprintf() by scnprintf() Salah Triki
2021-07-10 17:04 ` Joe Perches
2021-07-10 17:04 ` Joe Perches
2021-07-12 12:26 ` Salah Triki
2021-07-12 16:14 ` Joe Perches [this message]
2021-07-12 16:14 ` Joe Perches
2021-07-12 16:48 ` Salah Triki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6fe3c15d985017ad4e7a266bcf214a711326f151.camel@perches.com \
--to=joe@perches.com \
--cc=dan.j.williams@intel.com \
--cc=dave.jiang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nvdimm@lists.linux.dev \
--cc=salah.triki@gmail.com \
--cc=vishal.l.verma@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.