Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2589146pxb;
        Mon, 19 Apr 2021 09:03:50 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyXyUmScrCdTR94JpKb3PhVcOzLPNRdi7Z8s/5t2c6JqbXj1E5I2bdiE8ORpTi+5kCxhkgH
X-Received: by 2002:a05:6402:2708:: with SMTP id y8mr26752700edd.265.1618848230542;
        Mon, 19 Apr 2021 09:03:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1618848230; cv=none;
        d=google.com; s=arc-20160816;
        b=yLiIi7duCRi1XS2w8AOnofnfnnve17PFJKcoLhidWecP3KNYwXIAv2/YjIbPYubiJY
         ie2QiyXNYDVPOfTJtpuo0ABT3kO8Xb6/Lu6FwMyEKwg6GRDYUGeo0wtzRsnLdJzuPqEk
         KOutXzDrSls7msGjqLwx+V66QrfoATBeCWrfJNIJC5eXIoMMEl6X/jY7CJCZuUbgLVXo
         eTody8UVuJqvSbz7nfG+1dYR3dT36eBLmRvEgMrbeSPpX6v9bchKHoRnl5QTPDlRZ6x8
         c19Nu19Otk15YrCAl3PpCv8Ey8Tj8yNcNFfh8GPHR+RKk42kLSu2uE4m95tbUE6+OGsZ
         frZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from;
        bh=2PRmlXtMCB1gvMuU7F0cszQbVPGmU7zNUSVNigw8c0s=;
        b=eeRrWhMjJUT73QVp4zvNW//b43lc/QPfmV9mw0ftLY4L3GDvENswnFKQdRTO/EWdcj
         AjenQ7pVBpXVSjRPwrWx8IQVDiFnuuqsUy1VhoO+G0F2w162Q3bq+Gp221P9t+H1WD9U
         01Vdnh1aLq32IrXAUV2BPde8Lu1mhrpyl1e2gAtoL8MUvQDKKqaTeQBzNXIwivtS/RWW
         CFnCtxwnMGcZCk3trVqd6vBN5YRobFnLRnG5xl/jYAREWPZztMBGwrjzkHU7TQlnJdJK
         6m5cQ/vphbkmyG7YOp9y9lhZVkn4TaGlZ4dcxklIgq6Hvz0K1FDpxVH1wiM4IPGbxqpw
         eJIA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Return-Path: <linux-wireless-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h15si12781641edb.566.2021.04.19.09.03.20;
        Mon, 19 Apr 2021 09:03:50 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239999AbhDSOC1 (ORCPT <rfc822;benjamin.aschenbrenner@gmail.com>
        + 99 others); Mon, 19 Apr 2021 10:02:27 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:32953 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230021AbhDSOC0 (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Mon, 19 Apr 2021 10:02:26 -0400
Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost)
        by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
        (Exim 4.86_2)
        (envelope-from <colin.king@canonical.com>)
        id 1lYUTJ-0006Ax-1e; Mon, 19 Apr 2021 14:01:53 +0000
From:   Colin King <colin.king@canonical.com>
To:     Kalle Valo <kvalo@codeaurora.org>,
        "David S . Miller" <davem@davemloft.net>,
        Jakub Kicinski <kuba@kernel.org>,
        Arnd Bergmann <arnd@arndb.de>, linux-wireless@vger.kernel.org,
        netdev@vger.kernel.org
Cc:     kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH][next] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size Content-Type: text/plain; charset="utf-8"
Date:   Mon, 19 Apr 2021 15:01:52 +0100
Message-Id: <20210419140152.180361-1-colin.king@canonical.com>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org

From: Colin Ian King <colin.king@canonical.com>

The size of the buffer than can be written to is currently incorrect, it is
always the size of the entire buffer even though the snprintf is writing
as position pos into the buffer. Fix this by setting the buffer size to be
the number of bytes left in the buffer, namely sizeof(buf) - pos.

Addresses-Coverity: ("Out-of-bounds access")
Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
---
 drivers/net/wireless/ti/wlcore/debugfs.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h
index 715edfa5f89f..a9e13e6d65c5 100644
--- a/drivers/net/wireless/ti/wlcore/debugfs.h
+++ b/drivers/net/wireless/ti/wlcore/debugfs.h
@@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file,		\
 	wl1271_debugfs_update_stats(wl);				\
 									\
 	for (i = 0; i < len && pos < sizeof(buf); i++)			\
-		pos += snprintf(buf + pos, sizeof(buf),			\
+		pos += snprintf(buf + pos, sizeof(buf) - pos,		\
 			 "[%d] = %d\n", i, stats->sub.name[i]);		\
 									\
 	return wl1271_format_buffer(userbuf, count, ppos, "%s", buf);	\
-- 
2.30.2