intel_scu_mip: fix Klocwork severe issues

BZ: 35184

Function 'snprintf' possibly accepts format string that may be
influenced by user, causing format string vulnerability. Undefined
string lengths can lead to buffer overflows and potential exploitation
by attackers. We should use a defined value for string lengths.

This patch fixes this issue.

Change-Id: I765e3a3a4a37a79dd1efc52da77908118563ce60
Signed-off-by: Shijie Zhang <shijie.zhang@intel.com>
Reviewed-on: http://android.intel.com:8080/47747
Reviewed-by: Yang, Bin <bin.yang@intel.com>
Reviewed-by: Yan, Leo <leo.yan@intel.com>
Reviewed-by: Li, Ning <ning.li@intel.com>
Reviewed-by: Chen, Jie D <jie.d.chen@intel.com>
Reviewed-by: Cai, Stanley W <stanley.w.cai@intel.com>
Tested-by: Tang, HaifengX <haifengx.tang@intel.com>
Reviewed-by: buildbot <buildbot@intel.com>
Tested-by: buildbot <buildbot@intel.com>

diff --git a/drivers/platform/x86/intel_scu_mip.c b/drivers/platform/x86/intel_scu_mip.c
index 599bfb4..bce3da1 100644 (file)
--- a/drivers/platform/x86/intel_scu_mip.c
+++ b/drivers/platform/x86/intel_scu_mip.c
@@ -137,33 +137,30 @@ static int mip_issigned;
 static int mip_dbg_error;
 static char mip_cmd[MIP_CMD_LEN];
 
-static char *mip_msg_format[] = {
-       "data[%d]: %#x\n",
-       "len: %d\n",
-       "offset: %#x\n",
-       "issigned: %d\n",
-       "error: %d\n",
-};
-
-static int mip_generic_show(char *buf, int type, int *data)
+static ssize_t mip_generic_show(char *buf, int type, int *data)
 {
-       int i, buf_size;
-       int ret = 0;
+       int i;
+       ssize_t ret = 0;
 
        switch (type) {
        case MIP_DBG_DATA:
                for (i = 0; i < valid_data_nr; i++) {
-                       buf_size = PAGE_SIZE - ret;
-                       ret += snprintf(buf + ret, buf_size,
-                                       mip_msg_format[type],
+                       ret += snprintf(buf + ret, PAGE_SIZE - ret,
+                                       "data[%d]: %#x\n",
                                        i, mip_data[i]);
                }
                break;
        case MIP_DBG_LEN:
+               ret = snprintf(buf, PAGE_SIZE, "len: %d\n", *data);
+               break;
        case MIP_DBG_OFFSET:
+               ret = snprintf(buf, PAGE_SIZE, "offset: %#x\n", *data);
+               break;
        case MIP_DBG_ISSIGNED:
+               ret = snprintf(buf, PAGE_SIZE, "issigned: %d\n", *data);
+               break;
        case MIP_DBG_ERROR:
-               ret = snprintf(buf, PAGE_SIZE, mip_msg_format[type], *data);
+               ret = snprintf(buf, PAGE_SIZE, "error: %d\n", *data);
                break;
        default:
                break;