On Sun, Mar 15, 2020 at 09:58:34AM +0000, Jonathan Cameron wrote:
> On Wed, 11 Mar 2020 08:43:25 +0100
> Takashi Iwai <tiwai@xxxxxxx> wrote:
>
> > Since snprintf() returns the would-be-output size instead of the
> > actual output size, the succeeding calls may go beyond the given
> > buffer limit. Fix it by replacing with scnprintf().
> >
> > Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
>
> This one is printing a short well defined list of values. No way they go
> anywhere near the smallest possible PAGE_SIZE buffer that it's printing
> into.
>
> Which is handy given the remaining space isn't adjusted as we add items
> to the string. Hence even with scnprintf it would overflow.
>
> Brian, can you take a look at this when you get a moment?
I also agree that this won't overflow in practice, however we should fix
this up. Maybe the scnprintf() calls should be this:
offset += scnprintf(buf + offset, PAGE_SIZE - offset, ...);
Brian
>
> Thanks,
>
> Jonathan
>
> > ---
> > drivers/iio/light/tsl2772.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/iio/light/tsl2772.c b/drivers/iio/light/tsl2772.c
> > index be37fcbd4654..44a0b56a558c 100644
> > --- a/drivers/iio/light/tsl2772.c
> > +++ b/drivers/iio/light/tsl2772.c
> > @@ -986,7 +986,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
> > int offset = 0;
> >
> > while (i < TSL2772_MAX_LUX_TABLE_SIZE) {
> > - offset += snprintf(buf + offset, PAGE_SIZE, "%u,%u,",
> > + offset += scnprintf(buf + offset, PAGE_SIZE, "%u,%u,",
> > chip->tsl2772_device_lux[i].ch0,
> > chip->tsl2772_device_lux[i].ch1);
> > if (chip->tsl2772_device_lux[i].ch0 == 0) {
> > @@ -1000,7 +1000,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
> > i++;
> > }
> >
> > - offset += snprintf(buf + offset, PAGE_SIZE, "\n");
> > + offset += scnprintf(buf + offset, PAGE_SIZE, "\n");
> > return offset;
> > }
> >
