Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933593AbbENLm6 (ORCPT ); Thu, 14 May 2015 07:42:58 -0400 Received: from szxga03-in.huawei.com ([119.145.14.66]:21312 "EHLO szxga03-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932758AbbENLj3 (ORCPT ); Thu, 14 May 2015 07:39:29 -0400 From: Wang Long To: , , CC: , , , , , , , , , Subject: [RFC PATCH 12/17] seq_buf: Fix seq_buf_vprintf() truncation Date: Thu, 14 May 2015 11:34:59 +0000 Message-ID: <1431603304-162571-13-git-send-email-long.wanglong@huawei.com> X-Mailer: git-send-email 1.8.3.4 In-Reply-To: <1431603304-162571-1-git-send-email-long.wanglong@huawei.com> References: <1431603304-162571-1-git-send-email-long.wanglong@huawei.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.107.197.200] X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.5554888D.00A5,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0, ip=0.0.0.0, so=2013-05-26 15:14:31, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: bda8f14be617fdf0294e3ff507d5602d Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2261 Lines: 55 From: "Steven Rostedt (Red Hat)" commit 4a8fe4e1811c96ad0ad9f4083f2fe4fb43b2988d upstream. In seq_buf_vprintf(), vsnprintf() is used to copy the format into the buffer remaining in the seq_buf structure. The return of vsnprintf() is the amount of characters written to the buffer excluding the '\0', unless the line was truncated! If the line copied does not fit, it is truncated, and a '\0' is added to the end of the buffer. But in this case, '\0' is included in the length of the line written. To know if the buffer had overflowed, the return length will be the same as the length of the buffer passed in. The check in seq_buf_vprintf() only checked if the length returned from vsnprintf() would fit in the buffer, as the seq_buf_vprintf() is only to be an all or nothing command. It either writes all the string into the seq_buf, or none of it. If the string is truncated, the pointers inside the seq_buf must be reset to what they were when the function was called. This is not the case. On overflow, it copies only part of the string. The fix is to change the overflow check to see if the length returned from vsnprintf() is less than the length remaining in the seq_buf buffer, and not if it is less than or equal to as it currently does. Then seq_buf_vprintf() will know if the write from vsnpritnf() was truncated or not. Cc: stable@vger.kernel.org [wanglong: backport to 3.10 stable] Signed-off-by: Wang Long Signed-off-by: Steven Rostedt --- lib/seq_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/seq_buf.c b/lib/seq_buf.c index 4eedfed..795dd94 100644 --- a/lib/seq_buf.c +++ b/lib/seq_buf.c @@ -61,7 +61,7 @@ int seq_buf_vprintf(struct seq_buf *s, const char *fmt, va_list args) if (s->len < s->size) { len = vsnprintf(s->buffer + s->len, s->size - s->len, fmt, args); - if (seq_buf_can_fit(s, len)) { + if (s->len + len < s->size) { s->len += len; return 0; } -- 1.8.3.4 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/