On 06/04/2012 12:55 PM, Dan Carpenter wrote:
> On Mon, Jun 04, 2012 at 11:36:11AM +0200, Lars-Peter Clausen wrote:
>> +ssize_t iio_enum_available_read(struct iio_dev *indio_dev,
>> + uintptr_t priv, const struct iio_chan_spec *chan, char *buf)
>> +{
>> + const struct iio_enum *e = (const struct iio_enum *)priv;
>> + unsigned int i;
>> + size_t len = 0;
>> +
>> + if (!e->num_items)
>> + return 0;
>> +
>> + for (i = 0; i < e->num_items; ++i)
>> + len += snprintf(buf + len, PAGE_SIZE - len, "%s ", e->items[i]);
>> +
>> + /* replace last space with a newline */
>> + buf[len - 1] = '\n';
>> +
>
> It would be better to use scnprintf() here instead of snprintf().
> snprintf() returns the number of characters that would have been
> printed if there were space (not counting the NULL), so len - 1 can
> be beyond the end of the array.
It's even worse, if len is greater than PAGE_SIZE we'll pass a pretty large
number for the buffer size to snprintf and it will happily write beyond the
buffers limits. So as it is right now the snprintf isn't really any better than
a sprintf. I'll resend the patch with scnprintf.
Thanks,
- Lars
--
To unsubscribe from this list: send the line "unsubscribe linux-iio" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
