staging: rtl8723bs: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://lore.kernel.org/r/20200311092451.23933-4-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
index 9590e6f..49807d8 100644 (file)
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -326,20 +326,20 @@ inline void rtw_set_oper_ch(struct adapter *adapter, u8 ch)
                dvobj->on_oper_ch_time = jiffies;
 
 #ifdef DBG_CH_SWITCH
-               cnt += snprintf(msg+cnt, len-cnt, "switch to ch %3u", ch);
+               cnt += scnprintf(msg+cnt, len-cnt, "switch to ch %3u", ch);
 
                for (i = 0; i < dvobj->iface_nums; i++) {
                        struct adapter *iface = dvobj->padapters[i];
-                       cnt += snprintf(msg+cnt, len-cnt, " ["ADPT_FMT":", ADPT_ARG(iface));
+                       cnt += scnprintf(msg+cnt, len-cnt, " ["ADPT_FMT":", ADPT_ARG(iface));
                        if (iface->mlmeextpriv.cur_channel == ch)
-                               cnt += snprintf(msg+cnt, len-cnt, "C");
+                               cnt += scnprintf(msg+cnt, len-cnt, "C");
                        else
-                               cnt += snprintf(msg+cnt, len-cnt, "_");
+                               cnt += scnprintf(msg+cnt, len-cnt, "_");
                        if (iface->wdinfo.listen_channel == ch && !rtw_p2p_chk_state(&iface->wdinfo, P2P_STATE_NONE))
-                               cnt += snprintf(msg+cnt, len-cnt, "L");
+                               cnt += scnprintf(msg+cnt, len-cnt, "L");
                        else
-                               cnt += snprintf(msg+cnt, len-cnt, "_");
-                       cnt += snprintf(msg+cnt, len-cnt, "]");
+                               cnt += scnprintf(msg+cnt, len-cnt, "_");
+                       cnt += scnprintf(msg+cnt, len-cnt, "]");
                }
 
                DBG_871X(FUNC_ADPT_FMT" %s\n", FUNC_ADPT_ARG(adapter), msg);

diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index c145f62..29f36cc 100644 (file)
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -197,12 +197,12 @@ static char *translate_scan(struct adapter *padapter,
        if (!custom)
                return start;
        p = custom;
-       p += snprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): ");
+       p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom), " Rates (Mb/s): ");
        while (pnetwork->network.SupportedRates[i] != 0) {
                rate = pnetwork->network.SupportedRates[i]&0x7F;
                if (rate > max_rate)
                        max_rate = rate;
-               p += snprintf(p, MAX_CUSTOM_LEN - (p - custom),
+               p += scnprintf(p, MAX_CUSTOM_LEN - (p - custom),
                              "%d%s ", rate >> 1, (rate & 1) ? ".5" : "");
                i++;
        }