From: Sergey Shtylyov > Sent: 12 March 2022 20:29 > > The UHCI driver's debugging code uses a lot of sprintf() calls with the > large buffers, leaving some space at the end of the buffers to handle the > buffer overflow. Using scnprntf() instead eliminates the very possibility > of the buffer overflow, while simplifying the code at the expense of not > printing an ellipsis when the end of buffer is actually reached... Hmmm... The old code seems to so: > - out += sprintf(out, "(buf=%08x)\n", hc32_to_cpu(uhci, td->buffer)); > > - if (out - buf > len) > - out += sprintf(out, " ...\n"); Which is going to overflow the output buffer unless there is enough 'tailroom' after buf[len] for all the sprintf() before any length check and the ellipsis. The new code won't overrun buf[len] but also fails to '\n' terminate long lines. So you probably do need a check for: if (out == len - 1 && buf[out - 1] != '\n') strcpy(buf + len - 5, "...\n"); David - Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK Registration No: 1397386 (Wales)
