wlcore: Fix buffer overrun by snprintf due to incorrect buffer size

stable inclusion from stable-5.10.37 commit b6b894e7a27e52a9032a7eaace538538830d4b9e bugzilla: 51868 CVE: NA -------------------------------- [ Upstream commit a9a4c080 ] The size of the buffer than can be written to is currently incorrect, it is always the size of the entire buffer even though the snprintf is writing as position pos into the buffer. Fix this by setting the buffer size to be the number of bytes left in the buffer, namely sizeof(buf) - pos. Addresses-Coverity: ("Out-of-bounds access") Fixes: 7b0e2c4f ("wlcore: fix overlapping snprintf arguments in debugfs") Signed-off-by: N Colin Ian King <colin.king@canonical.com> Reviewed-by: N Arnd Bergmann <arnd@arndb.de> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.comSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
stable inclusion from stable-5.10.37 commit b6b894e7a27e52a9032a7eaace538538830d4b9e bugzilla: 51868 CVE: NA -------------------------------- [ Upstream commit a9a4c080 ] The size of the buffer than can be written to is currently incorrect, it is always the size of the entire buffer even though the snprintf is writing as position pos into the buffer. Fix this by setting the buffer size to be the number of bytes left in the buffer, namely sizeof(buf) - pos. Addresses-Coverity: ("Out-of-bounds access") Fixes: 7b0e2c4f ("wlcore: fix overlapping snprintf arguments in debugfs") Signed-off-by: N Colin Ian King <colin.king@canonical.com> Reviewed-by: N Arnd Bergmann <arnd@arndb.de> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.comSigned-off-by: N Sasha Levin <sashal@kernel.org> Signed-off-by: N Chen Jun <chenjun102@huawei.com> Acked-by: N Weilong Chen <chenweilong@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
c435eb2f · Colin Ian King · Zheng Zengkai · ebac2df6 · c435eb2f
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

drivers/net/wireless/ti/wlcore/debugfs.h drivers/net/wireless/ti/wlcore/debugfs.h +1 -1

未找到文件。
--- a/drivers/net/wireless/ti/wlcore/debugfs.h
+++ b/drivers/net/wireless/ti/wlcore/debugfs.h
@@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file,		\
 	wl1271_debugfs_update_stats(wl);				\
 									\
 	for (i = 0; i < len && pos < sizeof(buf); i++)			\
-		pos += snprintf(buf + pos, sizeof(buf),			\
+		pos += snprintf(buf + pos, sizeof(buf) - pos,		\
 			 "[%d] = %d\n", i, stats->sub.name[i]);		\
 									\
 	return wl1271_format_buffer(userbuf, count, ppos, "%s", buf);	\