Len Baker <len.baker@xxxxxxx> writes: > strcpy() performs no bounds checking on the destination buffer. This > could result in linear overflows beyond the end of the buffer, leading > to all kinds of misbehaviors. The safe replacement is strscpy() but in > this case it is better to use the scnprintf to simplify the arithmetic. > > This is a previous step in the path to remove the strcpy() function > entirely from the kernel. > > Signed-off-by: Len Baker <len.baker@xxxxxxx> > --- > drivers/bluetooth/btmrvl_sdio.c | 27 +++++++++++++-------------- > 1 file changed, 13 insertions(+), 14 deletions(-) > > diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c > index cddd350beba3..d6674b367e05 100644 > --- a/drivers/bluetooth/btmrvl_sdio.c > +++ b/drivers/bluetooth/btmrvl_sdio.c > @@ -1350,6 +1350,7 @@ static void btmrvl_sdio_coredump(struct device *dev) > u8 *dbg_ptr, *end_ptr, *fw_dump_data, *fw_dump_ptr; [...] > + size += scnprintf(fw_dump_ptr + size, > + sizeof(fw_dump_ptr) - size, [...] > + size += scnprintf(fw_dump_ptr + size, > + sizeof(fw_dump_ptr) - size, sizeof(fw_dump_ptr) there looks wrong -- you want the size of the buffer it points to (fw_dump_len + 1)? Thanks, -- Adam Sampson <ats@xxxxxxxxx> <http://offog.org/>
