]> git.baikalelectronics.ru Git - kernel.git/commitdiff
iio: core: Use scnprintf() for avoiding potential buffer overflow
authorTakashi Iwai <tiwai@suse.de>
Wed, 11 Mar 2020 07:43:24 +0000 (08:43 +0100)
committerJonathan Cameron <Jonathan.Cameron@huawei.com>
Sat, 21 Mar 2020 10:25:45 +0000 (10:25 +0000)
Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
drivers/iio/industrialio-core.c

index eac63c1bb8da0d970e0a0b78bb01e7fef3158756..157d95a24faa4e7b72aab6de8800bc1899ebf784 100644 (file)
@@ -566,46 +566,46 @@ static ssize_t __iio_format_value(char *buf, size_t len, unsigned int type,
 
        switch (type) {
        case IIO_VAL_INT:
-               return snprintf(buf, len, "%d", vals[0]);
+               return scnprintf(buf, len, "%d", vals[0]);
        case IIO_VAL_INT_PLUS_MICRO_DB:
                scale_db = true;
                /* fall through */
        case IIO_VAL_INT_PLUS_MICRO:
                if (vals[1] < 0)
-                       return snprintf(buf, len, "-%d.%06u%s", abs(vals[0]),
+                       return scnprintf(buf, len, "-%d.%06u%s", abs(vals[0]),
                                        -vals[1], scale_db ? " dB" : "");
                else
-                       return snprintf(buf, len, "%d.%06u%s", vals[0], vals[1],
+                       return scnprintf(buf, len, "%d.%06u%s", vals[0], vals[1],
                                        scale_db ? " dB" : "");
        case IIO_VAL_INT_PLUS_NANO:
                if (vals[1] < 0)
-                       return snprintf(buf, len, "-%d.%09u", abs(vals[0]),
+                       return scnprintf(buf, len, "-%d.%09u", abs(vals[0]),
                                        -vals[1]);
                else
-                       return snprintf(buf, len, "%d.%09u", vals[0], vals[1]);
+                       return scnprintf(buf, len, "%d.%09u", vals[0], vals[1]);
        case IIO_VAL_FRACTIONAL:
                tmp = div_s64((s64)vals[0] * 1000000000LL, vals[1]);
                tmp1 = vals[1];
                tmp0 = (int)div_s64_rem(tmp, 1000000000, &tmp1);
-               return snprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
+               return scnprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
        case IIO_VAL_FRACTIONAL_LOG2:
                tmp = shift_right((s64)vals[0] * 1000000000LL, vals[1]);
                tmp0 = (int)div_s64_rem(tmp, 1000000000LL, &tmp1);
-               return snprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
+               return scnprintf(buf, len, "%d.%09u", tmp0, abs(tmp1));
        case IIO_VAL_INT_MULTIPLE:
        {
                int i;
                int l = 0;
 
                for (i = 0; i < size; ++i) {
-                       l += snprintf(&buf[l], len - l, "%d ", vals[i]);
+                       l += scnprintf(&buf[l], len - l, "%d ", vals[i]);
                        if (l >= len)
                                break;
                }
                return l;
        }
        case IIO_VAL_CHAR:
-               return snprintf(buf, len, "%c", (char)vals[0]);
+               return scnprintf(buf, len, "%c", (char)vals[0]);
        default:
                return 0;
        }
@@ -676,10 +676,10 @@ static ssize_t iio_format_avail_list(char *buf, const int *vals,
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
                        if (i < length - 1)
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                " ");
                        else
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                "\n");
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
@@ -692,10 +692,10 @@ static ssize_t iio_format_avail_list(char *buf, const int *vals,
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
                        if (i < length / 2 - 1)
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                " ");
                        else
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                "\n");
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
@@ -719,10 +719,10 @@ static ssize_t iio_format_avail_range(char *buf, const int *vals, int type)
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
                        if (i < 2)
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                " ");
                        else
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                "]\n");
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
@@ -735,10 +735,10 @@ static ssize_t iio_format_avail_range(char *buf, const int *vals, int type)
                        if (len >= PAGE_SIZE)
                                return -EFBIG;
                        if (i < 2)
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                " ");
                        else
-                               len += snprintf(buf + len, PAGE_SIZE - len,
+                               len += scnprintf(buf + len, PAGE_SIZE - len,
                                                "]\n");
                        if (len >= PAGE_SIZE)
                                return -EFBIG;