From e39c0ffe8cc3cce212928168236bfd0c22965235 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 11 Mar 2020 10:29:30 +0100 Subject: [PATCH] tty: serial: pch_uart: Use scnprintf() for avoiding potential buffer overflow Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20200311092930.24433-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman --- drivers/tty/serial/pch_uart.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c index 0a96217..40fa7a2 100644 --- a/drivers/tty/serial/pch_uart.c +++ b/drivers/tty/serial/pch_uart.c @@ -310,32 +310,32 @@ static ssize_t port_show_regs(struct file *file, char __user *user_buf, if (!buf) return 0; - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "PCH EG20T port[%d] regs:\n", priv->port.line); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "=================================\n"); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "IER: \t0x%02x\n", ioread8(priv->membase + UART_IER)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "IIR: \t0x%02x\n", ioread8(priv->membase + UART_IIR)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "LCR: \t0x%02x\n", ioread8(priv->membase + UART_LCR)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "MCR: \t0x%02x\n", ioread8(priv->membase + UART_MCR)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "LSR: \t0x%02x\n", ioread8(priv->membase + UART_LSR)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "MSR: \t0x%02x\n", ioread8(priv->membase + UART_MSR)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "BRCSR: \t0x%02x\n", ioread8(priv->membase + PCH_UART_BRCSR)); lcr = ioread8(priv->membase + UART_LCR); iowrite8(PCH_UART_LCR_DLAB, priv->membase + UART_LCR); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "DLL: \t0x%02x\n", ioread8(priv->membase + UART_DLL)); - len += snprintf(buf + len, PCH_REGS_BUFSIZE - len, + len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len, "DLM: \t0x%02x\n", ioread8(priv->membase + UART_DLM)); iowrite8(lcr, priv->membase + UART_LCR); -- 2.7.4