scsi: aacraid: Use scnprintf() for avoiding potential buffer overflow (82893ced) · Commits · 戴 / test

Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Link: https://lore.kernel.org/r/20200315094241.9086-2-tiwai@suse.de Cc: "James E . J . Bottomley" <jejb@linux.ibm.com> Cc: "Martin K . Petersen" <martin.petersen@oracle.com> Cc: Adaptec OEM Raid Solutions <aacraid@microsemi.com> Cc: linux-scsi@vger.kernel.org Acked-by:

Balsundar P <Balsundar.P@microchip.com> Signed-off-by:

Takashi Iwai <tiwai@suse.de> Signed-off-by:

Martin K. Petersen <martin.petersen@oracle.com>

drivers/scsi/aacraid/linit.c

+9 −8

Original line number	Diff line number	Diff line
		@@ -1287,20 +1287,21 @@ static ssize_t aac_show_flags(struct device *cdev,
		if (nblank(dprintk(x)))
		len = snprintf(buf, PAGE_SIZE, "dprintk\n");
		#ifdef AAC_DETAILED_STATUS_INFO
		len += snprintf(buf + len, PAGE_SIZE - len,
		len += scnprintf(buf + len, PAGE_SIZE - len,
		"AAC_DETAILED_STATUS_INFO\n");
		#endif
		if (dev->raw_io_interface && dev->raw_io_64)
		len += snprintf(buf + len, PAGE_SIZE - len,
		len += scnprintf(buf + len, PAGE_SIZE - len,
		"SAI_READ_CAPACITY_16\n");
		if (dev->jbod)
		len += snprintf(buf + len, PAGE_SIZE - len, "SUPPORTED_JBOD\n");
		len += scnprintf(buf + len, PAGE_SIZE - len,
		"SUPPORTED_JBOD\n");
		if (dev->supplement_adapter_info.supported_options2 &
		AAC_OPTION_POWER_MANAGEMENT)
		len += snprintf(buf + len, PAGE_SIZE - len,
		len += scnprintf(buf + len, PAGE_SIZE - len,
		"SUPPORTED_POWER_MANAGEMENT\n");
		if (dev->msi)
		len += snprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n");
		len += scnprintf(buf + len, PAGE_SIZE - len, "PCI_HAS_MSI\n");
		return len;
		}

Admin message