The use of sprintf with format string here means that there is a risk that the writes will go out of bounds, replace it with scnprintf. In one block of the translate_scan function sprintf is only called once (it's not being used to concatenate strings) so there is no need to keep the pointer "p", remove it. Signed-off-by: Candy Febriyanto <cfebriyanto@xxxxxxxxx> --- Changed since V1: - Dan Carpenter: assign the return value of scnprintf to the length variable instead of calling strlen .../staging/rtl8723bs/os_dep/ioctl_linux.c | 23 +++++++++---------- drivers/staging/rtl8723bs/os_dep/mlme_linux.c | 6 ++--- 2 files changed, 14 insertions(+), 15 deletions(-) diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index 41389e266f54..78ba2423ed65 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -240,9 +240,10 @@ static char *translate_scan(struct adapter *padapter, return start; if (wpa_len > 0) { p = buf; - p += sprintf(p, "wpa_ie ="); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "wpa_ie ="); for (i = 0; i < wpa_len; i++) - p += sprintf(p, "%02x", wpa_ie[i]); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), + "%02x", wpa_ie[i]); if (wpa_len > 100) { printk("-----------------Len %d----------------\n", wpa_len); @@ -265,9 +266,10 @@ static char *translate_scan(struct adapter *padapter, if (rsn_len > 0) { p = buf; memset(buf, 0, MAX_WPA_IE_LEN*2); - p += sprintf(p, "rsn_ie ="); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "rsn_ie ="); for (i = 0; i < rsn_len; i++) - p += sprintf(p, "%02x", rsn_ie[i]); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), + "%02x", rsn_ie[i]); memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; iwe.u.data.length = strlen(buf); @@ -365,17 +367,16 @@ static char *translate_scan(struct adapter *padapter, { u8 *buf; - u8 *p, *pos; + u8 *pos; buf = kzalloc(MAX_WPA_IE_LEN, GFP_ATOMIC); if (!buf) goto exit; - p = buf; + pos = pnetwork->network.Reserved; - p += sprintf(p, "fm =%02X%02X", pos[1], pos[0]); memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; - iwe.u.data.length = strlen(buf); + iwe.u.data.length = scnprintf(buf, MAX_WPA_IE_LEN, "fm =%02X%02X", pos[1], pos[0]); start = iwe_stream_add_point(info, start, stop, &iwe, buf); kfree(buf); } @@ -5082,8 +5083,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_ case IW_PRIV_TYPE_BYTE: /* Display args */ for (j = 0; j < n; j++) { - sprintf(str, "%d ", extra[j]); - len = strlen(str); + len = scnprintf(str, sizeof(str), "%d ", extra[j]); output_len = strlen(output); if ((output_len + len + 1) > 4096) { err = -E2BIG; @@ -5096,8 +5096,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_ case IW_PRIV_TYPE_INT: /* Display args */ for (j = 0; j < n; j++) { - sprintf(str, "%d ", ((__s32 *)extra)[j]); - len = strlen(str); + len = scnprintf(str, sizeof(str), "%d ", ((__s32 *)extra)[j]); output_len = strlen(output); if ((output_len + len + 1) > 4096) { err = -E2BIG; diff --git a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c index d46c65ab384b..20899b2cff43 100644 --- a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c @@ -159,15 +159,15 @@ void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie) } p = buff; - p += sprintf(p, "ASSOCINFO(ReqIEs ="); + p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "ASSOCINFO(ReqIEs ="); len = sec_ie[1] + 2; len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX; for (i = 0; i < len; i++) - p += sprintf(p, "%02x", sec_ie[i]); + p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "%02x", sec_ie[i]); - p += sprintf(p, ")"); + p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), ")"); memset(&wrqu, 0, sizeof(wrqu)); -- 2.30.1 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel