From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id E8283C433F5 for ; Sun, 24 Apr 2022 15:35:48 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234758AbiDXPic (ORCPT ); Sun, 24 Apr 2022 11:38:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46904 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240693AbiDXPeR (ORCPT ); Sun, 24 Apr 2022 11:34:17 -0400 Received: from mxout01.lancloud.ru (mxout01.lancloud.ru [45.84.86.81]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 43480170E3F for ; Sun, 24 Apr 2022 08:31:11 -0700 (PDT) Received: from LanCloud DKIM-Filter: OpenDKIM Filter v2.11.0 mxout01.lancloud.ru E6FB520D5693 Received: from LanCloud Received: from LanCloud Received: from LanCloud Subject: Re: [PATCH 1/2] usb: host: uhci-debug: use scnprintf() instead of sprintf() To: David Laight , Alan Stern , Greg Kroah-Hartman , "linux-usb@vger.kernel.org" References: <20220312202834.11700-1-s.shtylyov@omp.ru> <20220312202834.11700-2-s.shtylyov@omp.ru> <5e5c26cde6814a56a00019d81d23f386@AcuMS.aculab.com> From: Sergey Shtylyov Organization: Open Mobile Platform Message-ID: Date: Sun, 24 Apr 2022 18:31:06 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.10.1 MIME-Version: 1.0 In-Reply-To: <5e5c26cde6814a56a00019d81d23f386@AcuMS.aculab.com> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [192.168.11.198] X-ClientProxiedBy: LFEXT01.lancloud.ru (fd00:f066::141) To LFEX1907.lancloud.ru (fd00:f066::207) Precedence: bulk List-ID: X-Mailing-List: linux-usb@vger.kernel.org On 3/13/22 1:33 AM, David Laight wrote: [...] >> The UHCI driver's debugging code uses a lot of sprintf() calls with the >> large buffers, leaving some space at the end of the buffers to handle the >> buffer overflow. Using scnprntf() instead eliminates the very possibility >> of the buffer overflow, while simplifying the code at the expense of not >> printing an ellipsis when the end of buffer is actually reached... > > Hmmm... > > The old code seems to so: s/so/do/? :-) >> - out += sprintf(out, "(buf=%08x)\n", hc32_to_cpu(uhci, td->buffer)); >> >> - if (out - buf > len) >> - out += sprintf(out, " ...\n"); > > Which is going to overflow the output buffer unless there > is enough 'tailroom' after buf[len] for all the sprintf() There are 1024 bytes (EXTRA_SPACE)... > before any length check and the ellipsis. > > The new code won't overrun buf[len] but also fails to > '\n' terminate long lines. Yes. And one also has problems correctly identifying the overflowing lines (iff such line ends exactly at end of buffer)... :-( > So you probably do need a check for: > if (out == len - 1 && buf[out - 1] != '\n') 'out' is a pointer, you probably meant: if (out - buf == len - 1 && *(out - 1) != '\n') > strcpy(buf + len - 5, "...\n"); That's not exactly what's done by the existing code... I think we'd be better off using strrchr()... but then again, we're not sure we have at least 5 bytes... > David [...] MBR, Sergey