On Thu, Nov 14, 2024 at 06:34:49PM +0900, Vincent Mailhol wrote: > Hi Dan, > > On 14/11/2024 at 18:03, Dan Carpenter wrote: > > This code is printing hex values to the &local_txbuf buffer and it's > > using the snprintf() function to try prevent buffer overflows. The > > problem is that it's not passing the correct limit to the snprintf() > > function so the limit doesn't do anything. On each iteration we print > > two digits so the remaining size should also decrease by two, but > > instead it passes the sizeof() the entire buffer each time. > > > > If the frame->len were too long it would result in a buffer overflow. > > But, can frame->len be too long? Classical CAN frame maximum length is 8 > bytes. And I do not see a path for a malformed frame to reach this part of > the driver. > > If such a path exists, I think this should be explained. Else, I am just not > sure if this needs a Fixes: tag. > Even when bugs don't affect runtime we still assign a Fixes tag, but we don't CC stable. There is no way that passing the wrong size was intentional. regards, dan carpenter