On Tue, Oct 01, 2019 at 11:09:26PM +0530, Rohit Sarkar wrote:
> On Tue, Oct 01, 2019 at 11:45:14AM +0300, Dan Carpenter wrote:
> > > diff --git a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > > index b08b9a191a34..ff5edcaba64d 100644
> > > --- a/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > > +++ b/drivers/staging/rtl8712/rtl871x_ioctl_linux.c
> > > @@ -142,7 +142,7 @@ static noinline_for_stack char *translate_scan_wpa(struct iw_request_info *info,
> > > memset(buf, 0, MAX_WPA_IE_LEN);
> > > n = sprintf(buf, "wpa_ie=");
> > > for (i = 0; i < wpa_len; i++) {
> > > - n += snprintf(buf + n, MAX_WPA_IE_LEN - n,
> > > + n += scnprintf(buf + n, MAX_WPA_IE_LEN - n,
> > > "%02x", wpa_ie[i]);
> > > if (n >= MAX_WPA_IE_LEN)
> > ^^^^^^^^^^^^^^^^^^^
> > It checks for overflow here. This check is impossible now and doesn't
> > make sense. The other loop is similar.
>
> Good catch! I must have overlooked this.
> "n" cannot be greater than MAX_WPA_IE_LEN but it can be equal to that
> value. We can replace the '>=' with '==' so that we don't loop
> unnecessarily when n has reached it's threshold.
No. scnprintf() returns the number of characters *not counting the
NUL terminator*. So it can be a maximum of MAX_WPA_IE_LEN - 1.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
