Commit 4a348601 authored by Takashi Iwai's avatar Takashi Iwai Committed by David S. Miller
Browse files

net: mlx4: Use scnprintf() for avoiding potential buffer overflow 



Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Cc: "David S . Miller" <davem@davemloft.net>
Cc: Tariq Toukan <tariqt@mellanox.com>
To: netdev@vger.kernel.org
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 13bde56c

drivers/net/ethernet/mellanox/mlx4/mcg.c

+31 −31
Original line number Diff line number Diff line
@@ -906,32 +906,32 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str, 
	int len = 0;



	mlx4_err(dev, "%s", str);

	len += snprintf(buf + len, BUF_SIZE - len,

	len += scnprintf(buf + len, BUF_SIZE - len,

			 "port = %d prio = 0x%x qp = 0x%x ",

			 rule->port, rule->priority, rule->qpn);



	list_for_each_entry(cur, &rule->list, list) {

		switch (cur->id) {

		case MLX4_NET_TRANS_RULE_ID_ETH:

			len += snprintf(buf + len, BUF_SIZE - len,

			len += scnprintf(buf + len, BUF_SIZE - len,

					 "dmac = %pM ", &cur->eth.dst_mac);

			if (cur->eth.ether_type)

				len += snprintf(buf + len, BUF_SIZE - len,

				len += scnprintf(buf + len, BUF_SIZE - len,

						 "ethertype = 0x%x ",

						 be16_to_cpu(cur->eth.ether_type));

			if (cur->eth.vlan_id)

				len += snprintf(buf + len, BUF_SIZE - len,

				len += scnprintf(buf + len, BUF_SIZE - len,

						 "vlan-id = %d ",

						 be16_to_cpu(cur->eth.vlan_id));

			break;



		case MLX4_NET_TRANS_RULE_ID_IPV4:

			if (cur->ipv4.src_ip)

				len += snprintf(buf + len, BUF_SIZE - len,

				len += scnprintf(buf + len, BUF_SIZE - len,

						 "src-ip = %pI4 ",

						 &cur->ipv4.src_ip);

			if (cur->ipv4.dst_ip)

				len += snprintf(buf + len, BUF_SIZE - len,

				len += scnprintf(buf + len, BUF_SIZE - len,

						 "dst-ip = %pI4 ",

						 &cur->ipv4.dst_ip);

			break;
@@ -939,25 +939,25 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str, 
		case MLX4_NET_TRANS_RULE_ID_TCP:

		case MLX4_NET_TRANS_RULE_ID_UDP:

			if (cur->tcp_udp.src_port)

				len += snprintf(buf + len, BUF_SIZE - len,

				len += scnprintf(buf + len, BUF_SIZE - len,

						 "src-port = %d ",

						 be16_to_cpu(cur->tcp_udp.src_port));

			if (cur->tcp_udp.dst_port)

				len += snprintf(buf + len, BUF_SIZE - len,

				len += scnprintf(buf + len, BUF_SIZE - len,

						 "dst-port = %d ",

						 be16_to_cpu(cur->tcp_udp.dst_port));

			break;



		case MLX4_NET_TRANS_RULE_ID_IB:

			len += snprintf(buf + len, BUF_SIZE - len,

			len += scnprintf(buf + len, BUF_SIZE - len,

					 "dst-gid = %pI6\n", cur->ib.dst_gid);

			len += snprintf(buf + len, BUF_SIZE - len,

			len += scnprintf(buf + len, BUF_SIZE - len,

					 "dst-gid-mask = %pI6\n",

					 cur->ib.dst_gid_msk);

			break;



		case MLX4_NET_TRANS_RULE_ID_VXLAN:

			len += snprintf(buf + len, BUF_SIZE - len,

			len += scnprintf(buf + len, BUF_SIZE - len,

					 "VNID = %d ", be32_to_cpu(cur->vxlan.vni));

			break;

		case MLX4_NET_TRANS_RULE_ID_IPV6:
@@ -967,7 +967,7 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str, 
			break;

		}

	}

	len += snprintf(buf + len, BUF_SIZE - len, "\n");

	len += scnprintf(buf + len, BUF_SIZE - len, "\n");

	mlx4_err(dev, "%s", buf);



	if (len >= BUF_SIZE)

CRA Git | Maintained and supported by SUSTech CRA and CCSE