Commit 190c8f72 authored by Takashi Iwai's avatar Takashi Iwai Committed by Greg Kroah-Hartman
Browse files

staging: vc04_services: Use scnprintf() for avoiding potential buffer overflow 



Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Reviewed-by: default avatarNicolas Saenz Julienne <nsaenzjulienne@suse.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: bcm-kernel-feedback-list@broadcom.com
Cc: linux-rpi-kernel@lists.infradead.org
Cc: devel@driverdev.osuosl.org
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200319161300.25967-1-tiwai@suse.de


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 0432184f

drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c

+3 −3
Original line number Diff line number Diff line
@@ -2161,17 +2161,17 @@ int vchiq_dump_platform_service_state(void *dump_context, 
	char buf[80];

	int len;



	len = snprintf(buf, sizeof(buf), "  instance %pK", service->instance);

	len = scnprintf(buf, sizeof(buf), "  instance %pK", service->instance);



	if ((service->base.callback == service_callback) &&

		user_service->is_vchi) {

		len += snprintf(buf + len, sizeof(buf) - len,

		len += scnprintf(buf + len, sizeof(buf) - len,

			", %d/%d messages",

			user_service->msg_insert - user_service->msg_remove,

			MSG_QUEUE_SIZE);



		if (user_service->dequeue_pending)

			len += snprintf(buf + len, sizeof(buf) - len,

			len += scnprintf(buf + len, sizeof(buf) - len,

				" (dequeue pending)");

	}