On Mon, 23 Mar 2020 08:04:39 +0100, Hannes Reinecke wrote: > > On 3/22/20 7:03 AM, Coly Li wrote: > > From: Takashi Iwai <tiwai@xxxxxxx> > > > > Since snprintf() returns the would-be-output size instead of the > > actual output size, the succeeding calls may go beyond the given > > buffer limit. Fix it by replacing with scnprintf(). > > > > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx> > > Signed-off-by: Coly Li <colyli@xxxxxxx> > > --- > > drivers/md/bcache/sysfs.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/drivers/md/bcache/sysfs.c b/drivers/md/bcache/sysfs.c > > index 3470fae4eabc..323276994aab 100644 > > --- a/drivers/md/bcache/sysfs.c > > +++ b/drivers/md/bcache/sysfs.c > > @@ -154,7 +154,7 @@ static ssize_t bch_snprint_string_list(char *buf, > > size_t i; > > for (i = 0; list[i]; i++) > > - out += snprintf(out, buf + size - out, > > + out += scnprintf(out, buf + size - out, > > i == selected ? "[%s] " : "%s ", list[i]); > > out[-1] = '\n'; > > > Well, if you already consider a possible overflow here, why don't you > abort the loop once 'out == buf + size' ? Sure, feel free to optimize. But no need to mix two things into a single patch :) thanks, Takashi
