forked from Minki/linux
net: netdevsim: Use scnprintf() for avoiding potential buffer overflow
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: "David S . Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: netdev@vger.kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
5e892880e1
commit
2da222f612
@ -29,9 +29,9 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
|
||||
return -ENOMEM;
|
||||
|
||||
p = buf;
|
||||
p += snprintf(p, bufsize - (p - buf),
|
||||
"SA count=%u tx=%u\n",
|
||||
ipsec->count, ipsec->tx);
|
||||
p += scnprintf(p, bufsize - (p - buf),
|
||||
"SA count=%u tx=%u\n",
|
||||
ipsec->count, ipsec->tx);
|
||||
|
||||
for (i = 0; i < NSIM_IPSEC_MAX_SA_COUNT; i++) {
|
||||
struct nsim_sa *sap = &ipsec->sa[i];
|
||||
@ -39,18 +39,18 @@ static ssize_t nsim_dbg_netdev_ops_read(struct file *filp,
|
||||
if (!sap->used)
|
||||
continue;
|
||||
|
||||
p += snprintf(p, bufsize - (p - buf),
|
||||
"sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
|
||||
i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
|
||||
sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
|
||||
p += snprintf(p, bufsize - (p - buf),
|
||||
"sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
|
||||
i, be32_to_cpu(sap->xs->id.spi),
|
||||
sap->xs->id.proto, sap->salt, sap->crypt);
|
||||
p += snprintf(p, bufsize - (p - buf),
|
||||
"sa[%i] key=0x%08x %08x %08x %08x\n",
|
||||
i, sap->key[0], sap->key[1],
|
||||
sap->key[2], sap->key[3]);
|
||||
p += scnprintf(p, bufsize - (p - buf),
|
||||
"sa[%i] %cx ipaddr=0x%08x %08x %08x %08x\n",
|
||||
i, (sap->rx ? 'r' : 't'), sap->ipaddr[0],
|
||||
sap->ipaddr[1], sap->ipaddr[2], sap->ipaddr[3]);
|
||||
p += scnprintf(p, bufsize - (p - buf),
|
||||
"sa[%i] spi=0x%08x proto=0x%x salt=0x%08x crypt=%d\n",
|
||||
i, be32_to_cpu(sap->xs->id.spi),
|
||||
sap->xs->id.proto, sap->salt, sap->crypt);
|
||||
p += scnprintf(p, bufsize - (p - buf),
|
||||
"sa[%i] key=0x%08x %08x %08x %08x\n",
|
||||
i, sap->key[0], sap->key[1],
|
||||
sap->key[2], sap->key[3]);
|
||||
}
|
||||
|
||||
len = simple_read_from_buffer(buffer, count, ppos, buf, p - buf);
|
||||
|
Loading…
Reference in New Issue
Block a user