net: netdevsim: Use scnprintf() for avoiding potential buffer overflow (2da222f6) · Commits · 戴 / test

Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "David S . Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: netdev@vger.kernel.org Signed-off-by:

Takashi Iwai <tiwai@suse.de> Signed-off-by:

David S. Miller <davem@davemloft.net>

drivers/net/netdevsim/ipsec.c

+15 −15

Original line number	Diff line number	Diff line
		@@ -29,7 +29,7 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
		return -ENOMEM;

		p = buf;
		p += snprintf(p, bufsize - (p - buf),
		p += scnprintf(p, bufsize - (p - buf),
		"SA count=%u tx=%u\n",
		ipsec->count, ipsec->tx);

		@@ -39,15 +39,15 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
		if (!sap->used)
		continue;

		p += snprintf(p, bufsize - (p - buf),
		p += scnprintf(p, bufsize - (p - buf),
		"sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
		i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
		sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
		p += snprintf(p, bufsize - (p - buf),
		p += scnprintf(p, bufsize - (p - buf),
		"sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
		i, be32_to_cpu(sap->xs->id.spi),
		sap->xs->id.proto, sap->salt, sap->crypt);
		p += snprintf(p, bufsize - (p - buf),
		p += scnprintf(p, bufsize - (p - buf),
		"sa[%i] key=0x%08x %08x %08x %08x\n",
		i, sap->key[0], sap->key[1],
		sap->key[2], sap->key[3]);

Admin message