* [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow
@ 2020-03-15 9:34 Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 1/6] net: caif: " Takashi Iwai
` (6 more replies)
0 siblings, 7 replies; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:34 UTC (permalink / raw)
To: netdev
Hi,
here is a respin of trivial patch series just to convert suspicious
snprintf() usages with the more safer one, scnprintf().
v1->v2: Align the remaining lines to the open parenthesis
Excluded i40e patch that was already queued
Takashi
===
Takashi Iwai (6):
net: caif: Use scnprintf() for avoiding potential buffer overflow
net: mlx4: Use scnprintf() for avoiding potential buffer overflow
net: nfp: Use scnprintf() for avoiding potential buffer overflow
net: ionic: Use scnprintf() for avoiding potential buffer overflow
net: sfc: Use scnprintf() for avoiding potential buffer overflow
net: netdevsim: Use scnprintf() for avoiding potential buffer overflow
drivers/net/caif/caif_spi.c | 72 +++++++++++-----------
drivers/net/ethernet/mellanox/mlx4/mcg.c | 62 +++++++++----------
.../ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 8 +--
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 14 ++---
drivers/net/ethernet/sfc/mcdi.c | 32 +++++-----
drivers/net/netdevsim/ipsec.c | 30 ++++-----
6 files changed, 111 insertions(+), 107 deletions(-)
--
2.16.4
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2 1/6] net: caif: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
@ 2020-03-15 9:34 ` Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 2/6] net: mlx4: " Takashi Iwai
` (5 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:34 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: "David S . Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Align the remaining lines to the open parenthesis
drivers/net/caif/caif_spi.c | 72 ++++++++++++++++++++++-----------------------
1 file changed, 36 insertions(+), 36 deletions(-)
diff --git a/drivers/net/caif/caif_spi.c b/drivers/net/caif/caif_spi.c
index 8e81bdf98ac6..63f2548f5b1b 100644
--- a/drivers/net/caif/caif_spi.c
+++ b/drivers/net/caif/caif_spi.c
@@ -141,29 +141,29 @@ static ssize_t dbgfs_state(struct file *file, char __user *user_buf,
return 0;
/* Print out debug information. */
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "CAIF SPI debug information:\n");
-
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
-
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "STATE: %d\n", cfspi->dbg_state);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Previous CMD: 0x%x\n", cfspi->pcmd);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Current CMD: 0x%x\n", cfspi->cmd);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Previous TX len: %d\n", cfspi->tx_ppck_len);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Previous RX len: %d\n", cfspi->rx_ppck_len);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Current TX len: %d\n", cfspi->tx_cpck_len);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Current RX len: %d\n", cfspi->rx_cpck_len);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Next TX len: %d\n", cfspi->tx_npck_len);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Next RX len: %d\n", cfspi->rx_npck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "CAIF SPI debug information:\n");
+
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), FLAVOR);
+
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "STATE: %d\n", cfspi->dbg_state);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Previous CMD: 0x%x\n", cfspi->pcmd);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Current CMD: 0x%x\n", cfspi->cmd);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Previous TX len: %d\n", cfspi->tx_ppck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Previous RX len: %d\n", cfspi->rx_ppck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Current TX len: %d\n", cfspi->tx_cpck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Current RX len: %d\n", cfspi->rx_cpck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Next TX len: %d\n", cfspi->tx_npck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Next RX len: %d\n", cfspi->rx_npck_len);
if (len > DEBUGFS_BUF_SIZE)
len = DEBUGFS_BUF_SIZE;
@@ -180,23 +180,23 @@ static ssize_t print_frame(char *buf, size_t size, char *frm,
int len = 0;
int i;
for (i = 0; i < count; i++) {
- len += snprintf((buf + len), (size - len),
+ len += scnprintf((buf + len), (size - len),
"[0x" BYTE_HEX_FMT "]",
frm[i]);
if ((i == cut) && (count > (cut * 2))) {
/* Fast forward. */
i = count - cut;
- len += snprintf((buf + len), (size - len),
- "--- %zu bytes skipped ---\n",
- count - (cut * 2));
+ len += scnprintf((buf + len), (size - len),
+ "--- %zu bytes skipped ---\n",
+ count - (cut * 2));
}
if ((!(i % 10)) && i) {
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "\n");
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "\n");
}
}
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len), "\n");
return len;
}
@@ -214,18 +214,18 @@ static ssize_t dbgfs_frame(struct file *file, char __user *user_buf,
return 0;
/* Print out debug information. */
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Current frame:\n");
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Current frame:\n");
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Tx data (Len: %d):\n", cfspi->tx_cpck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Tx data (Len: %d):\n", cfspi->tx_cpck_len);
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
cfspi->xfer.va_tx[0],
(cfspi->tx_cpck_len + SPI_CMD_SZ), 100);
- len += snprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
- "Rx data (Len: %d):\n", cfspi->rx_cpck_len);
+ len += scnprintf((buf + len), (DEBUGFS_BUF_SIZE - len),
+ "Rx data (Len: %d):\n", cfspi->rx_cpck_len);
len += print_frame((buf + len), (DEBUGFS_BUF_SIZE - len),
cfspi->xfer.va_rx,
--
2.16.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 2/6] net: mlx4: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 1/6] net: caif: " Takashi Iwai
@ 2020-03-15 9:34 ` Takashi Iwai
2020-03-15 9:35 ` [PATCH v2 3/6] net: nfp: " Takashi Iwai
` (4 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:34 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller, Tariq Toukan
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: "David S . Miller" <davem@davemloft.net>
Cc: Tariq Toukan <tariqt@mellanox.com>
To: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Align the remaining lines to the open parenthesis
drivers/net/ethernet/mellanox/mlx4/mcg.c | 62 ++++++++++++++++----------------
1 file changed, 31 insertions(+), 31 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/mcg.c b/drivers/net/ethernet/mellanox/mlx4/mcg.c
index 9c481823b3e8..9486caecfbdc 100644
--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c
+++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c
@@ -906,59 +906,59 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str,
int len = 0;
mlx4_err(dev, "%s", str);
- len += snprintf(buf + len, BUF_SIZE - len,
- "port = %d prio = 0x%x qp = 0x%x ",
- rule->port, rule->priority, rule->qpn);
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "port = %d prio = 0x%x qp = 0x%x ",
+ rule->port, rule->priority, rule->qpn);
list_for_each_entry(cur, &rule->list, list) {
switch (cur->id) {
case MLX4_NET_TRANS_RULE_ID_ETH:
- len += snprintf(buf + len, BUF_SIZE - len,
- "dmac = %pM ", &cur->eth.dst_mac);
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "dmac = %pM ", &cur->eth.dst_mac);
if (cur->eth.ether_type)
- len += snprintf(buf + len, BUF_SIZE - len,
- "ethertype = 0x%x ",
- be16_to_cpu(cur->eth.ether_type));
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "ethertype = 0x%x ",
+ be16_to_cpu(cur->eth.ether_type));
if (cur->eth.vlan_id)
- len += snprintf(buf + len, BUF_SIZE - len,
- "vlan-id = %d ",
- be16_to_cpu(cur->eth.vlan_id));
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "vlan-id = %d ",
+ be16_to_cpu(cur->eth.vlan_id));
break;
case MLX4_NET_TRANS_RULE_ID_IPV4:
if (cur->ipv4.src_ip)
- len += snprintf(buf + len, BUF_SIZE - len,
- "src-ip = %pI4 ",
- &cur->ipv4.src_ip);
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "src-ip = %pI4 ",
+ &cur->ipv4.src_ip);
if (cur->ipv4.dst_ip)
- len += snprintf(buf + len, BUF_SIZE - len,
- "dst-ip = %pI4 ",
- &cur->ipv4.dst_ip);
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "dst-ip = %pI4 ",
+ &cur->ipv4.dst_ip);
break;
case MLX4_NET_TRANS_RULE_ID_TCP:
case MLX4_NET_TRANS_RULE_ID_UDP:
if (cur->tcp_udp.src_port)
- len += snprintf(buf + len, BUF_SIZE - len,
- "src-port = %d ",
- be16_to_cpu(cur->tcp_udp.src_port));
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "src-port = %d ",
+ be16_to_cpu(cur->tcp_udp.src_port));
if (cur->tcp_udp.dst_port)
- len += snprintf(buf + len, BUF_SIZE - len,
- "dst-port = %d ",
- be16_to_cpu(cur->tcp_udp.dst_port));
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "dst-port = %d ",
+ be16_to_cpu(cur->tcp_udp.dst_port));
break;
case MLX4_NET_TRANS_RULE_ID_IB:
- len += snprintf(buf + len, BUF_SIZE - len,
- "dst-gid = %pI6\n", cur->ib.dst_gid);
- len += snprintf(buf + len, BUF_SIZE - len,
- "dst-gid-mask = %pI6\n",
- cur->ib.dst_gid_msk);
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "dst-gid = %pI6\n", cur->ib.dst_gid);
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "dst-gid-mask = %pI6\n",
+ cur->ib.dst_gid_msk);
break;
case MLX4_NET_TRANS_RULE_ID_VXLAN:
- len += snprintf(buf + len, BUF_SIZE - len,
- "VNID = %d ", be32_to_cpu(cur->vxlan.vni));
+ len += scnprintf(buf + len, BUF_SIZE - len,
+ "VNID = %d ", be32_to_cpu(cur->vxlan.vni));
break;
case MLX4_NET_TRANS_RULE_ID_IPV6:
break;
@@ -967,7 +967,7 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str,
break;
}
}
- len += snprintf(buf + len, BUF_SIZE - len, "\n");
+ len += scnprintf(buf + len, BUF_SIZE - len, "\n");
mlx4_err(dev, "%s", buf);
if (len >= BUF_SIZE)
--
2.16.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 3/6] net: nfp: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 1/6] net: caif: " Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 2/6] net: mlx4: " Takashi Iwai
@ 2020-03-15 9:35 ` Takashi Iwai
2020-03-15 9:35 ` [PATCH v2 4/6] net: ionic: " Takashi Iwai
` (3 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:35 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller, Jakub Kicinski, oss-drivers
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Cc: "David S . Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: oss-drivers@netronome.com
To: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Align the remaining lines to the open parenthesis
drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
index 8fde6c1f681b..a486008eb80a 100644
--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
+++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c
@@ -616,7 +616,7 @@ static int enable_bars(struct nfp6000_pcie *nfp, u16 interface)
if (bar->iomem) {
int pf;
- msg += snprintf(msg, end - msg, "0.0: General/MSI-X SRAM, ");
+ msg += scnprintf(msg, end - msg, "0.0: General/MSI-X SRAM, ");
atomic_inc(&bar->refcnt);
bars_free--;
@@ -661,7 +661,7 @@ static int enable_bars(struct nfp6000_pcie *nfp, u16 interface)
/* Configure, and lock, BAR0.1 for PCIe XPB (MSI-X PBA) */
bar = &nfp->bar[1];
- msg += snprintf(msg, end - msg, "0.1: PCIe XPB/MSI-X PBA, ");
+ msg += scnprintf(msg, end - msg, "0.1: PCIe XPB/MSI-X PBA, ");
atomic_inc(&bar->refcnt);
bars_free--;
@@ -680,8 +680,8 @@ static int enable_bars(struct nfp6000_pcie *nfp, u16 interface)
bar->iomem = ioremap(nfp_bar_resource_start(bar),
nfp_bar_resource_len(bar));
if (bar->iomem) {
- msg += snprintf(msg, end - msg,
- "0.%d: Explicit%d, ", 4 + i, i);
+ msg += scnprintf(msg, end - msg,
+ "0.%d: Explicit%d, ", 4 + i, i);
atomic_inc(&bar->refcnt);
bars_free--;
--
2.16.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 4/6] net: ionic: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (2 preceding siblings ...)
2020-03-15 9:35 ` [PATCH v2 3/6] net: nfp: " Takashi Iwai
@ 2020-03-15 9:35 ` Takashi Iwai
2020-03-15 9:35 ` [PATCH v2 5/6] net: sfc: " Takashi Iwai
` (2 subsequent siblings)
6 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:35 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller, Jakub Kicinski, oss-drivers
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Acked-by: Shannon Nelson <snelson@pensando.io>
Cc: "David S . Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: oss-drivers@netronome.com
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Align the remaining lines to the open parenthesis
drivers/net/ethernet/pensando/ionic/ionic_lif.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/pensando/ionic/ionic_lif.c b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
index b903016193df..fc951ae0f5a6 100644
--- a/drivers/net/ethernet/pensando/ionic/ionic_lif.c
+++ b/drivers/net/ethernet/pensando/ionic/ionic_lif.c
@@ -949,18 +949,18 @@ static void ionic_lif_rx_mode(struct ionic_lif *lif, unsigned int rx_mode)
int i;
#define REMAIN(__x) (sizeof(buf) - (__x))
- i = snprintf(buf, sizeof(buf), "rx_mode 0x%04x -> 0x%04x:",
- lif->rx_mode, rx_mode);
+ i = scnprintf(buf, sizeof(buf), "rx_mode 0x%04x -> 0x%04x:",
+ lif->rx_mode, rx_mode);
if (rx_mode & IONIC_RX_MODE_F_UNICAST)
- i += snprintf(&buf[i], REMAIN(i), " RX_MODE_F_UNICAST");
+ i += scnprintf(&buf[i], REMAIN(i), " RX_MODE_F_UNICAST");
if (rx_mode & IONIC_RX_MODE_F_MULTICAST)
- i += snprintf(&buf[i], REMAIN(i), " RX_MODE_F_MULTICAST");
+ i += scnprintf(&buf[i], REMAIN(i), " RX_MODE_F_MULTICAST");
if (rx_mode & IONIC_RX_MODE_F_BROADCAST)
- i += snprintf(&buf[i], REMAIN(i), " RX_MODE_F_BROADCAST");
+ i += scnprintf(&buf[i], REMAIN(i), " RX_MODE_F_BROADCAST");
if (rx_mode & IONIC_RX_MODE_F_PROMISC)
- i += snprintf(&buf[i], REMAIN(i), " RX_MODE_F_PROMISC");
+ i += scnprintf(&buf[i], REMAIN(i), " RX_MODE_F_PROMISC");
if (rx_mode & IONIC_RX_MODE_F_ALLMULTI)
- i += snprintf(&buf[i], REMAIN(i), " RX_MODE_F_ALLMULTI");
+ i += scnprintf(&buf[i], REMAIN(i), " RX_MODE_F_ALLMULTI");
netdev_dbg(lif->netdev, "lif%d %s\n", lif->index, buf);
err = ionic_adminq_post_wait(lif, &ctx);
--
2.16.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 5/6] net: sfc: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (3 preceding siblings ...)
2020-03-15 9:35 ` [PATCH v2 4/6] net: ionic: " Takashi Iwai
@ 2020-03-15 9:35 ` Takashi Iwai
2020-03-16 11:51 ` Martin Habets
2020-03-15 9:35 ` [PATCH v2 6/6] net: netdevsim: " Takashi Iwai
2020-03-16 0:06 ` [PATCH v2 0/6] net: " David Miller
6 siblings, 1 reply; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:35 UTC (permalink / raw)
To: netdev
Cc: David S . Miller, Edward Cree, Martin Habets,
Solarflare linux maintainers
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: "David S . Miller" <davem@davemloft.net>
Cc: Edward Cree <ecree@solarflare.com>
Cc: Martin Habets <mhabets@solarflare.com>
Cc: Solarflare linux maintainers <linux-net-drivers@solarflare.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Align the remaining lines to the open parenthesis
drivers/net/ethernet/sfc/mcdi.c | 32 ++++++++++++++++++--------------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/drivers/net/ethernet/sfc/mcdi.c b/drivers/net/ethernet/sfc/mcdi.c
index 2713300343c7..15c731d04065 100644
--- a/drivers/net/ethernet/sfc/mcdi.c
+++ b/drivers/net/ethernet/sfc/mcdi.c
@@ -212,12 +212,14 @@ static void efx_mcdi_send_request(struct efx_nic *efx, unsigned cmd,
* progress on a NIC at any one time. So no need for locking.
*/
for (i = 0; i < hdr_len / 4 && bytes < PAGE_SIZE; i++)
- bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
- " %08x", le32_to_cpu(hdr[i].u32[0]));
+ bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
+ " %08x",
+ le32_to_cpu(hdr[i].u32[0]));
for (i = 0; i < inlen / 4 && bytes < PAGE_SIZE; i++)
- bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
- " %08x", le32_to_cpu(inbuf[i].u32[0]));
+ bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
+ " %08x",
+ le32_to_cpu(inbuf[i].u32[0]));
netif_info(efx, hw, efx->net_dev, "MCDI RPC REQ:%s\n", buf);
}
@@ -302,15 +304,15 @@ static void efx_mcdi_read_response_header(struct efx_nic *efx)
*/
for (i = 0; i < hdr_len && bytes < PAGE_SIZE; i++) {
efx->type->mcdi_read_response(efx, &hdr, (i * 4), 4);
- bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
- " %08x", le32_to_cpu(hdr.u32[0]));
+ bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
+ " %08x", le32_to_cpu(hdr.u32[0]));
}
for (i = 0; i < data_len && bytes < PAGE_SIZE; i++) {
efx->type->mcdi_read_response(efx, &hdr,
mcdi->resp_hdr_len + (i * 4), 4);
- bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
- " %08x", le32_to_cpu(hdr.u32[0]));
+ bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
+ " %08x", le32_to_cpu(hdr.u32[0]));
}
netif_info(efx, hw, efx->net_dev, "MCDI RPC RESP:%s\n", buf);
@@ -1417,9 +1419,11 @@ void efx_mcdi_print_fwver(struct efx_nic *efx, char *buf, size_t len)
}
ver_words = (__le16 *)MCDI_PTR(outbuf, GET_VERSION_OUT_VERSION);
- offset = snprintf(buf, len, "%u.%u.%u.%u",
- le16_to_cpu(ver_words[0]), le16_to_cpu(ver_words[1]),
- le16_to_cpu(ver_words[2]), le16_to_cpu(ver_words[3]));
+ offset = scnprintf(buf, len, "%u.%u.%u.%u",
+ le16_to_cpu(ver_words[0]),
+ le16_to_cpu(ver_words[1]),
+ le16_to_cpu(ver_words[2]),
+ le16_to_cpu(ver_words[3]));
/* EF10 may have multiple datapath firmware variants within a
* single version. Report which variants are running.
@@ -1427,9 +1431,9 @@ void efx_mcdi_print_fwver(struct efx_nic *efx, char *buf, size_t len)
if (efx_nic_rev(efx) >= EFX_REV_HUNT_A0) {
struct efx_ef10_nic_data *nic_data = efx->nic_data;
- offset += snprintf(buf + offset, len - offset, " rx%x tx%x",
- nic_data->rx_dpcpu_fw_id,
- nic_data->tx_dpcpu_fw_id);
+ offset += scnprintf(buf + offset, len - offset, " rx%x tx%x",
+ nic_data->rx_dpcpu_fw_id,
+ nic_data->tx_dpcpu_fw_id);
/* It's theoretically possible for the string to exceed 31
* characters, though in practice the first three version
--
2.16.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH v2 6/6] net: netdevsim: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (4 preceding siblings ...)
2020-03-15 9:35 ` [PATCH v2 5/6] net: sfc: " Takashi Iwai
@ 2020-03-15 9:35 ` Takashi Iwai
2020-03-16 0:06 ` [PATCH v2 0/6] net: " David Miller
6 siblings, 0 replies; 9+ messages in thread
From: Takashi Iwai @ 2020-03-15 9:35 UTC (permalink / raw)
To: netdev; +Cc: David S . Miller, Jakub Kicinski
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().
Cc: "David S . Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: netdev@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
---
v1->v2: Align the remaining lines to the open parenthesis
drivers/net/netdevsim/ipsec.c | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/drivers/net/netdevsim/ipsec.c b/drivers/net/netdevsim/ipsec.c
index e27fc1a4516d..3811f1bde84e 100644
--- a/drivers/net/netdevsim/ipsec.c
+++ b/drivers/net/netdevsim/ipsec.c
@@ -29,9 +29,9 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
return -ENOMEM;
p = buf;
- p += snprintf(p, bufsize - (p - buf),
- "SA count=%u tx=%u\n",
- ipsec->count, ipsec->tx);
+ p += scnprintf(p, bufsize - (p - buf),
+ "SA count=%u tx=%u\n",
+ ipsec->count, ipsec->tx);
for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
struct nsim_sa *sap = &ipsec->sa[i];
@@ -39,18 +39,18 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
if (!sap->used)
continue;
- p += snprintf(p, bufsize - (p - buf),
- "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
- i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
- sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
- p += snprintf(p, bufsize - (p - buf),
- "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
- i, be32_to_cpu(sap->xs->id.spi),
- sap->xs->id.proto, sap->salt, sap->crypt);
- p += snprintf(p, bufsize - (p - buf),
- "sa[%i] key=0x%08x %08x %08x %08x\n",
- i, sap->key[0], sap->key[1],
- sap->key[2], sap->key[3]);
+ p += scnprintf(p, bufsize - (p - buf),
+ "sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
+ i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
+ sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
+ p += scnprintf(p, bufsize - (p - buf),
+ "sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
+ i, be32_to_cpu(sap->xs->id.spi),
+ sap->xs->id.proto, sap->salt, sap->crypt);
+ p += scnprintf(p, bufsize - (p - buf),
+ "sa[%i] key=0x%08x %08x %08x %08x\n",
+ i, sap->key[0], sap->key[1],
+ sap->key[2], sap->key[3]);
}
len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
--
2.16.4
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
` (5 preceding siblings ...)
2020-03-15 9:35 ` [PATCH v2 6/6] net: netdevsim: " Takashi Iwai
@ 2020-03-16 0:06 ` David Miller
6 siblings, 0 replies; 9+ messages in thread
From: David Miller @ 2020-03-16 0:06 UTC (permalink / raw)
To: tiwai; +Cc: netdev
From: Takashi Iwai <tiwai@suse.de>
Date: Sun, 15 Mar 2020 10:34:57 +0100
> here is a respin of trivial patch series just to convert suspicious
> snprintf() usages with the more safer one, scnprintf().
>
> v1->v2: Align the remaining lines to the open parenthesis
> Excluded i40e patch that was already queued
Series applied, thank you.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH v2 5/6] net: sfc: Use scnprintf() for avoiding potential buffer overflow
2020-03-15 9:35 ` [PATCH v2 5/6] net: sfc: " Takashi Iwai
@ 2020-03-16 11:51 ` Martin Habets
0 siblings, 0 replies; 9+ messages in thread
From: Martin Habets @ 2020-03-16 11:51 UTC (permalink / raw)
To: Takashi Iwai, netdev
Cc: David S . Miller, Edward Cree, Solarflare linux maintainers
On 15/03/2020 09:35, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
>
> Cc: "David S . Miller" <davem@davemloft.net>
> Cc: Edward Cree <ecree@solarflare.com>
> Cc: Martin Habets <mhabets@solarflare.com>
> Cc: Solarflare linux maintainers <linux-net-drivers@solarflare.com>
> Cc: netdev@vger.kernel.org
> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Martin Habets <mhabets@solarflare.com>
> ---
> v1->v2: Align the remaining lines to the open parenthesis
>
> drivers/net/ethernet/sfc/mcdi.c | 32 ++++++++++++++++++--------------
> 1 file changed, 18 insertions(+), 14 deletions(-)
>
> diff --git a/drivers/net/ethernet/sfc/mcdi.c b/drivers/net/ethernet/sfc/mcdi.c
> index 2713300343c7..15c731d04065 100644
> --- a/drivers/net/ethernet/sfc/mcdi.c
> +++ b/drivers/net/ethernet/sfc/mcdi.c
> @@ -212,12 +212,14 @@ static void efx_mcdi_send_request(struct efx_nic *efx, unsigned cmd,
> * progress on a NIC at any one time. So no need for locking.
> */
> for (i = 0; i < hdr_len / 4 && bytes < PAGE_SIZE; i++)
> - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> - " %08x", le32_to_cpu(hdr[i].u32[0]));
> + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> + " %08x",
> + le32_to_cpu(hdr[i].u32[0]));
>
> for (i = 0; i < inlen / 4 && bytes < PAGE_SIZE; i++)
> - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> - " %08x", le32_to_cpu(inbuf[i].u32[0]));
> + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> + " %08x",
> + le32_to_cpu(inbuf[i].u32[0]));
>
> netif_info(efx, hw, efx->net_dev, "MCDI RPC REQ:%s\n", buf);
> }
> @@ -302,15 +304,15 @@ static void efx_mcdi_read_response_header(struct efx_nic *efx)
> */
> for (i = 0; i < hdr_len && bytes < PAGE_SIZE; i++) {
> efx->type->mcdi_read_response(efx, &hdr, (i * 4), 4);
> - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> - " %08x", le32_to_cpu(hdr.u32[0]));
> + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> + " %08x", le32_to_cpu(hdr.u32[0]));
> }
>
> for (i = 0; i < data_len && bytes < PAGE_SIZE; i++) {
> efx->type->mcdi_read_response(efx, &hdr,
> mcdi->resp_hdr_len + (i * 4), 4);
> - bytes += snprintf(buf + bytes, PAGE_SIZE - bytes,
> - " %08x", le32_to_cpu(hdr.u32[0]));
> + bytes += scnprintf(buf + bytes, PAGE_SIZE - bytes,
> + " %08x", le32_to_cpu(hdr.u32[0]));
> }
>
> netif_info(efx, hw, efx->net_dev, "MCDI RPC RESP:%s\n", buf);
> @@ -1417,9 +1419,11 @@ void efx_mcdi_print_fwver(struct efx_nic *efx, char *buf, size_t len)
> }
>
> ver_words = (__le16 *)MCDI_PTR(outbuf, GET_VERSION_OUT_VERSION);
> - offset = snprintf(buf, len, "%u.%u.%u.%u",
> - le16_to_cpu(ver_words[0]), le16_to_cpu(ver_words[1]),
> - le16_to_cpu(ver_words[2]), le16_to_cpu(ver_words[3]));
> + offset = scnprintf(buf, len, "%u.%u.%u.%u",
> + le16_to_cpu(ver_words[0]),
> + le16_to_cpu(ver_words[1]),
> + le16_to_cpu(ver_words[2]),
> + le16_to_cpu(ver_words[3]));
>
> /* EF10 may have multiple datapath firmware variants within a
> * single version. Report which variants are running.
> @@ -1427,9 +1431,9 @@ void efx_mcdi_print_fwver(struct efx_nic *efx, char *buf, size_t len)
> if (efx_nic_rev(efx) >= EFX_REV_HUNT_A0) {
> struct efx_ef10_nic_data *nic_data = efx->nic_data;
>
> - offset += snprintf(buf + offset, len - offset, " rx%x tx%x",
> - nic_data->rx_dpcpu_fw_id,
> - nic_data->tx_dpcpu_fw_id);
> + offset += scnprintf(buf + offset, len - offset, " rx%x tx%x",
> + nic_data->rx_dpcpu_fw_id,
> + nic_data->tx_dpcpu_fw_id);
>
> /* It's theoretically possible for the string to exceed 31
> * characters, though in practice the first three version
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-03-16 11:51 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-03-15 9:34 [PATCH v2 0/6] net: Use scnprintf() for avoiding potential buffer overflow Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 1/6] net: caif: " Takashi Iwai
2020-03-15 9:34 ` [PATCH v2 2/6] net: mlx4: " Takashi Iwai
2020-03-15 9:35 ` [PATCH v2 3/6] net: nfp: " Takashi Iwai
2020-03-15 9:35 ` [PATCH v2 4/6] net: ionic: " Takashi Iwai
2020-03-15 9:35 ` [PATCH v2 5/6] net: sfc: " Takashi Iwai
2020-03-16 11:51 ` Martin Habets
2020-03-15 9:35 ` [PATCH v2 6/6] net: netdevsim: " Takashi Iwai
2020-03-16 0:06 ` [PATCH v2 0/6] net: " David Miller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).