Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2589755pxb; Mon, 19 Apr 2021 09:04:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzIWVsmKtS0mKQv2R+4cpjqAy9809yTWK1NA8GlRioaGhgV8xy0lH3kubpG/bBt0pUfTYCB X-Received: by 2002:a17:906:f8d7:: with SMTP id lh23mr22762538ejb.77.1618848268269; Mon, 19 Apr 2021 09:04:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618848268; cv=none; d=google.com; s=arc-20160816; b=KY/ZEkdj9NdmI/keHffKc7bw1JrrDsu0BNA1nksb32Av10JNkbo3ktBnsuxJRR8gpC 7jenwhHhgY+0pSw0EpEuTiMG0JM3uvIzJl09dqD4jsLCd4+vRV4Xl529MnHR3e9vgax2 /YlbgpJXRnuqci2dh96C96XMtSOaPXmdA7JXaD0EF/Nyk5imrnqInW2s4TDD0LQNMh8C bPK/gD5T7epzzRnCH3JKL1NrvHr/7ouJwZpodWzH+mS+Wtbwi6AYEkq6c+jlhNPtdKNl I5C7DzjvL8DLLke0eMoLfeX/hZOCzDIZ6mbL4yU2n5I8QytVB9FMFa/98NUxj8CjS0eV iulg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=1e66PC2zAst9JDZgIGKZKSEOV8XcH6tdFsdc+xJAHhA=; b=bN0djmtimDzJyn/2H5/sR+XULhx9rjbDsahlBBDeM9VGTnyeaXg1OY7IqdUTaG3Hgc avW5AO8rJFBzlufsbLbaypqzCRs9E+z1ZmnYrT7SR0sMtgYPdb0mUxffsr0TKzEe9Bfy vXLqLdJQXO/yfj9PZDWbvrv4uwOtdCrrf/IRYEkQvdiUzdbmWd+4niTVG8vVCO3KZWkw /LpI/1QhqpK/grOjMCNtUlb4CbOmG31cedH7ukhmiflCn5m+YRF1Pw5EZWHbeHejkcNQ MEcQt1u2DSjSwrDepKqr5/6ksucEA+AFSMmla00iB30p+QlwprxxQVWNp7Oc+aXMWt3S CALw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u6si12565492ejj.34.2021.04.19.09.04.05; Mon, 19 Apr 2021 09:04:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=canonical.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240166AbhDSOOk (ORCPT + 99 others); Mon, 19 Apr 2021 10:14:40 -0400 Received: from youngberry.canonical.com ([91.189.89.112]:33547 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240246AbhDSOOi (ORCPT ); Mon, 19 Apr 2021 10:14:38 -0400 Received: from 1.general.cking.uk.vpn ([10.172.193.212] helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1lYUf7-00071L-Kc; Mon, 19 Apr 2021 14:14:05 +0000 From: Colin King To: Kalle Valo , "David S . Miller" , Jakub Kicinski , Arnd Bergmann , linux-wireless@vger.kernel.org, netdev@vger.kernel.org Cc: kernel-janitors@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH][next][V2] wlcore: Fix buffer overrun by snprintf due to incorrect buffer size Date: Mon, 19 Apr 2021 15:14:05 +0100 Message-Id: <20210419141405.180582-1-colin.king@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org From: Colin Ian King The size of the buffer than can be written to is currently incorrect, it is always the size of the entire buffer even though the snprintf is writing as position pos into the buffer. Fix this by setting the buffer size to be the number of bytes left in the buffer, namely sizeof(buf) - pos. Addresses-Coverity: ("Out-of-bounds access") Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs") Signed-off-by: Colin Ian King Reviewed-by: Arnd Bergmann --- V2: Fix patch subject --- drivers/net/wireless/ti/wlcore/debugfs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h index 715edfa5f89f..a9e13e6d65c5 100644 --- a/drivers/net/wireless/ti/wlcore/debugfs.h +++ b/drivers/net/wireless/ti/wlcore/debugfs.h @@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file, \ wl1271_debugfs_update_stats(wl); \ \ for (i = 0; i < len && pos < sizeof(buf); i++) \ - pos += snprintf(buf + pos, sizeof(buf), \ + pos += snprintf(buf + pos, sizeof(buf) - pos, \ "[%d] = %d\n", i, stats->sub.name[i]); \ \ return wl1271_format_buffer(userbuf, count, ppos, "%s", buf); \ -- 2.30.2