Hi Dan,
On 11/14/24 18:03, Dan Carpenter wrote:
This code is printing hex values to the &local_txbuf buffer and it's
using the snprintf() function to try prevent buffer overflows. The
problem is that it's not passing the correct limit to the snprintf()
function so the limit doesn't do anything. On each iteration we print
two digits so the remaining size should also decrease by two, but
instead it passes the sizeof() the entire buffer each time.
D'oh, silly mistake. Thank you for finding it!
IMHO the correct fix isn't further counting and checking within the
snprintf loop. Instead, the buffer is correctly sized for a payload of
up to 8 bytes, and what we should do is to initially establish that
frame->len is indeed no larger than 8 bytes. So, something like
if (frame->len > 8) {
netdev_err(elm->dev, "The CAN stack handed us a frame with len > 8
bytes. Dropped packet.\n");
}
This check would go into can327_netdev_start_xmit(), and then a comment
at your current patch's location to remind of this. Also, snprintf() can
be simplified to sprintf(), since it is fully predictable in this case.
It's also possible that the CAN stack already checks frame->len, in
which case I'd just add comments to can327. I haven't dug into the code
now - maybe the maintainers know?
I can whip something up next week.
Max
