Hi, On Sun, Jul 18, 2021 at 05:12:55PM +0100, Adam Sampson wrote: > Len Baker <len.baker@xxxxxxx> writes: > > > strcpy() performs no bounds checking on the destination buffer. This > > could result in linear overflows beyond the end of the buffer, leading > > to all kinds of misbehaviors. The safe replacement is strscpy() but in > > this case it is better to use the scnprintf to simplify the arithmetic. > > > > This is a previous step in the path to remove the strcpy() function > > entirely from the kernel. > > > > Signed-off-by: Len Baker <len.baker@xxxxxxx> > > --- > > drivers/bluetooth/btmrvl_sdio.c | 27 +++++++++++++-------------- > > 1 file changed, 13 insertions(+), 14 deletions(-) > > > > diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c > > index cddd350beba3..d6674b367e05 100644 > > --- a/drivers/bluetooth/btmrvl_sdio.c > > +++ b/drivers/bluetooth/btmrvl_sdio.c > > @@ -1350,6 +1350,7 @@ static void btmrvl_sdio_coredump(struct device *dev) > > u8 *dbg_ptr, *end_ptr, *fw_dump_data, *fw_dump_ptr; > [...] > > + size += scnprintf(fw_dump_ptr + size, > > + sizeof(fw_dump_ptr) - size, > [...] > > + size += scnprintf(fw_dump_ptr + size, > > + sizeof(fw_dump_ptr) - size, > > sizeof(fw_dump_ptr) there looks wrong -- you want the size of the buffer > it points to (fw_dump_len + 1)? Apologies. I will work on it and I will send a new version for review. Thanks for the feedback. > > Thanks, > > -- > Adam Sampson <ats@xxxxxxxxx> <http://offog.org/> Regards, Len
