| From a7504b99e1ab3dd7b20bd60a523fd8274a809020 Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Mon, 19 Apr 2021 15:14:05 +0100 |
| Subject: wlcore: Fix buffer overrun by snprintf due to incorrect buffer size |
| |
| From: Colin Ian King <colin.king@canonical.com> |
| |
| [ Upstream commit a9a4c080deb33f44e08afe35f4ca4bb9ece89f4e ] |
| |
| The size of the buffer than can be written to is currently incorrect, it is |
| always the size of the entire buffer even though the snprintf is writing |
| as position pos into the buffer. Fix this by setting the buffer size to be |
| the number of bytes left in the buffer, namely sizeof(buf) - pos. |
| |
| Addresses-Coverity: ("Out-of-bounds access") |
| Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs") |
| Signed-off-by: Colin Ian King <colin.king@canonical.com> |
| Reviewed-by: Arnd Bergmann <arnd@arndb.de> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.com |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| drivers/net/wireless/ti/wlcore/debugfs.h | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h |
| index 715edfa5f89f..a9e13e6d65c5 100644 |
| --- a/drivers/net/wireless/ti/wlcore/debugfs.h |
| +++ b/drivers/net/wireless/ti/wlcore/debugfs.h |
| @@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file, \ |
| wl1271_debugfs_update_stats(wl); \ |
| \ |
| for (i = 0; i < len && pos < sizeof(buf); i++) \ |
| - pos += snprintf(buf + pos, sizeof(buf), \ |
| + pos += snprintf(buf + pos, sizeof(buf) - pos, \ |
| "[%d] = %d\n", i, stats->sub.name[i]); \ |
| \ |
| return wl1271_format_buffer(userbuf, count, ppos, "%s", buf); \ |
| -- |
| 2.30.2 |
| |