From: Candy Febriyanto <cfebriyanto@gmail.com>
To: gregkh@linuxfoundation.org, hdegoede@redhat.com,
Larry.Finger@lwfinger.net, devel@driverdev.osuosl.org
Subject: [PATCH 3/3] staging: rtl8723bs: os_dep: Replace sprintf with scnprintf
Date: Mon, 1 Mar 2021 20:13:54 +0700 [thread overview]
Message-ID: <502b559ee7d6a2736f10d8228002ac7780243cd1.1614603705.git.cfebriyanto@gmail.com> (raw)
In-Reply-To: <cover.1614603705.git.cfebriyanto@gmail.com>
The use of sprintf with format string here means that there is a risk
that the writes will go out of bounds, replace it with scnprintf.
In one block of the translate_scan function sprintf is only called once
(it's not being used to concatenate strings) so there is no need to keep
the pointer "p", remove it.
Signed-off-by: Candy Febriyanto <cfebriyanto@gmail.com>
---
.../staging/rtl8723bs/os_dep/ioctl_linux.c | 20 ++++++++++---------
drivers/staging/rtl8723bs/os_dep/mlme_linux.c | 6 +++---
2 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index 41389e266f54..0bc3585d7097 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -240,9 +240,10 @@ static char *translate_scan(struct adapter *padapter,
return start;
if (wpa_len > 0) {
p = buf;
- p += sprintf(p, "wpa_ie =");
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "wpa_ie =");
for (i = 0; i < wpa_len; i++)
- p += sprintf(p, "%02x", wpa_ie[i]);
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf),
+ "%02x", wpa_ie[i]);
if (wpa_len > 100) {
printk("-----------------Len %d----------------\n", wpa_len);
@@ -265,9 +266,10 @@ static char *translate_scan(struct adapter *padapter,
if (rsn_len > 0) {
p = buf;
memset(buf, 0, MAX_WPA_IE_LEN*2);
- p += sprintf(p, "rsn_ie =");
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "rsn_ie =");
for (i = 0; i < rsn_len; i++)
- p += sprintf(p, "%02x", rsn_ie[i]);
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf),
+ "%02x", rsn_ie[i]);
memset(&iwe, 0, sizeof(iwe));
iwe.cmd = IWEVCUSTOM;
iwe.u.data.length = strlen(buf);
@@ -365,14 +367,14 @@ static char *translate_scan(struct adapter *padapter,
{
u8 *buf;
- u8 *p, *pos;
+ u8 *pos;
buf = kzalloc(MAX_WPA_IE_LEN, GFP_ATOMIC);
if (!buf)
goto exit;
- p = buf;
+
pos = pnetwork->network.Reserved;
- p += sprintf(p, "fm =%02X%02X", pos[1], pos[0]);
+ scnprintf(buf, MAX_WPA_IE_LEN, "fm =%02X%02X", pos[1], pos[0]);
memset(&iwe, 0, sizeof(iwe));
iwe.cmd = IWEVCUSTOM;
iwe.u.data.length = strlen(buf);
@@ -5082,7 +5084,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_
case IW_PRIV_TYPE_BYTE:
/* Display args */
for (j = 0; j < n; j++) {
- sprintf(str, "%d ", extra[j]);
+ scnprintf(str, sizeof(str), "%d ", extra[j]);
len = strlen(str);
output_len = strlen(output);
if ((output_len + len + 1) > 4096) {
@@ -5096,7 +5098,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_
case IW_PRIV_TYPE_INT:
/* Display args */
for (j = 0; j < n; j++) {
- sprintf(str, "%d ", ((__s32 *)extra)[j]);
+ scnprintf(str, sizeof(str), "%d ", ((__s32 *)extra)[j]);
len = strlen(str);
output_len = strlen(output);
if ((output_len + len + 1) > 4096) {
diff --git a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
index d46c65ab384b..20899b2cff43 100644
--- a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
@@ -159,15 +159,15 @@ void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie)
}
p = buff;
- p += sprintf(p, "ASSOCINFO(ReqIEs =");
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "ASSOCINFO(ReqIEs =");
len = sec_ie[1] + 2;
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
for (i = 0; i < len; i++)
- p += sprintf(p, "%02x", sec_ie[i]);
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "%02x", sec_ie[i]);
- p += sprintf(p, ")");
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), ")");
memset(&wrqu, 0, sizeof(wrqu));
--
2.30.1
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
next prev parent reply other threads:[~2021-03-01 13:14 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-01 13:12 [PATCH 0/3] staging: rtl8723bs: Replace sprintf with scnprintf Candy Febriyanto
2021-03-01 13:12 ` [PATCH 1/3] staging: rtl8723bs: core: " Candy Febriyanto
2021-03-01 13:13 ` [PATCH 2/3] staging: rtl8723bs: hal: " Candy Febriyanto
2021-03-01 13:13 ` Candy Febriyanto [this message]
2021-03-01 13:41 ` [PATCH 3/3] staging: rtl8723bs: os_dep: " Dan Carpenter
2021-03-01 14:01 ` Candy Febriyanto
2021-03-01 13:45 ` [PATCH 0/3] staging: rtl8723bs: " Hans de Goede
2021-03-01 14:02 ` Candy Febriyanto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=502b559ee7d6a2736f10d8228002ac7780243cd1.1614603705.git.cfebriyanto@gmail.com \
--to=cfebriyanto@gmail.com \
--cc=Larry.Finger@lwfinger.net \
--cc=devel@driverdev.osuosl.org \
--cc=gregkh@linuxfoundation.org \
--cc=hdegoede@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).