Precision "%.*s" was intended instead of width "%*s". The original code
will print garbage from beyond the end of the skb->data.
Fixes: d76d6c3ba2b0 ("mt76: mt7615: limit firmware log message printk to buffer length")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
index 9b9f8d88e9bb..00b1b657cb21 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c
@@ -424,7 +424,7 @@ mt7615_mcu_rx_log_message(struct mt7615_dev *dev, struct sk_buff *skb)
break;
}
- wiphy_info(mt76_hw(dev)->wiphy, "%s: %*s", type,
+ wiphy_info(mt76_hw(dev)->wiphy, "%s: %.*s", type,
(int)(skb->len - sizeof(*rxd)), data);
}
--
2.30.2
Precision %.*s was intended instead of width %*s. The original code
is potentially an information leak.
Fixes: c7cc5ec57303 ("mt76: mt7921: rework mt7921_mcu_debug_msg_event routine")
Signed-off-by: Dan Carpenter <[email protected]>
---
drivers/net/wireless/mediatek/mt76/mt7921/mcu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
index aa55667b6ed7..45ad2c337d41 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/mcu.c
@@ -500,7 +500,7 @@ mt7921_mcu_debug_msg_event(struct mt7921_dev *dev, struct sk_buff *skb)
if (!msg->content[i])
msg->content[i] = ' ';
}
- wiphy_info(mt76_hw(dev)->wiphy, "%*s", len, msg->content);
+ wiphy_info(mt76_hw(dev)->wiphy, "%.*s", len, msg->content);
}
}
--
2.30.2