linux-rdma.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] infiniband: hfi1: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-19 15:46 Takashi Iwai
  2020-03-26 18:06 ` Jason Gunthorpe
  0 siblings, 1 reply; 2+ messages in thread
From: Takashi Iwai @ 2020-03-19 15:46 UTC (permalink / raw)
  To: linux-rdma
  Cc: Mike Marciniszyn, Dennis Dalessandro, Doug Ledford, Jason Gunthorpe

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
Cc: Dennis Dalessandro <dennis.dalessandro@intel.com>
Cc: Doug Ledford <dledford@redhat.com>
Cc: Jason Gunthorpe <jgg@ziepe.ca>
Cc: linux-rdma@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
 drivers/infiniband/hw/hfi1/fault.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/hfi1/fault.c b/drivers/infiniband/hw/hfi1/fault.c
index 986c12153e62..0dfbcfb048ca 100644
--- a/drivers/infiniband/hw/hfi1/fault.c
+++ b/drivers/infiniband/hw/hfi1/fault.c
@@ -222,11 +222,11 @@ static ssize_t fault_opcodes_read(struct file *file, char __user *buf,
 	while (bit < bitsize) {
 		zero = find_next_zero_bit(fault->opcodes, bitsize, bit);
 		if (zero - 1 != bit)
-			size += snprintf(data + size,
+			size += scnprintf(data + size,
 					 datalen - size - 1,
 					 "0x%lx-0x%lx,", bit, zero - 1);
 		else
-			size += snprintf(data + size,
+			size += scnprintf(data + size,
 					 datalen - size - 1, "0x%lx,",
 					 bit);
 		bit = find_next_bit(fault->opcodes, bitsize, zero);
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] infiniband: hfi1: Use scnprintf() for avoiding potential buffer overflow
  2020-03-19 15:46 [PATCH] infiniband: hfi1: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-26 18:06 ` Jason Gunthorpe
  0 siblings, 0 replies; 2+ messages in thread
From: Jason Gunthorpe @ 2020-03-26 18:06 UTC (permalink / raw)
  To: Takashi Iwai
  Cc: linux-rdma, Mike Marciniszyn, Dennis Dalessandro, Doug Ledford

On Thu, Mar 19, 2020 at 04:46:41PM +0100, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit.  Fix it by replacing with scnprintf().
> 
> Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
> Cc: Dennis Dalessandro <dennis.dalessandro@intel.com>
> Cc: Doug Ledford <dledford@redhat.com>
> Cc: Jason Gunthorpe <jgg@ziepe.ca>
> Cc: linux-rdma@vger.kernel.org
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
> ---
>  drivers/infiniband/hw/hfi1/fault.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)

Applied to for-next, thanks

Jason

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-03-26 18:07 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-19 15:46 [PATCH] infiniband: hfi1: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-26 18:06 ` Jason Gunthorpe

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).