mmc: vub300: Use scnprintf() for avoiding potential buffer overflow

tiwai · storulf · commit 6bbcf74dd929 · 2020-03-24T14:39:52.000+01:00
Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20200311080439.13928-1-tiwai@suse.de Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c
@@ -1363,7 +1363,7 @@ static void download_offload_pseudocode(struct vub300_mmc_host *vub300)
 	int retval;
 	for (n = 0; n < sdio_funcs; n++) {
 		struct sdio_func *sf = card->sdio_func[n];
-		l += snprintf(vub300->vub_name + l,
+		l += scnprintf(vub300->vub_name + l,
 			      sizeof(vub300->vub_name) - l, "_%04X%04X",
 			      sf->vendor, sf->device);
 	}

Original file line number	Diff line number	Diff line change
`@@ -1363,7 +1363,7 @@ static void download_offload_pseudocode(struct vub300_mmc_host *vub300)`
`1363`	`1363`	`int retval;`
`1364`	`1364`	`for (n = 0; n < sdio_funcs; n++) {`
`1365`	`1365`	`struct sdio_func *sf = card->sdio_func[n];`
`1366`		`- l += snprintf(vub300->vub_name + l,`
	`1366`	`+ l += scnprintf(vub300->vub_name + l,`
`1367`	`1367`	`sizeof(vub300->vub_name) - l, "_%04X%04X",`
`1368`	`1368`	`sf->vendor, sf->device);`
`1369`	`1369`	`}`