Colin King <colin.king@xxxxxxxxxxxxx> wrote:
> From: Colin Ian King <colin.king@xxxxxxxxxxxxx>
>
> The size of the buffer than can be written to is currently incorrect, it is
> always the size of the entire buffer even though the snprintf is writing
> as position pos into the buffer. Fix this by setting the buffer size to be
> the number of bytes left in the buffer, namely sizeof(buf) - pos.
>
> Addresses-Coverity: ("Out-of-bounds access")
> Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs")
> Signed-off-by: Colin Ian King <colin.king@xxxxxxxxxxxxx>
> Reviewed-by: Arnd Bergmann <arnd@xxxxxxxx>
Patch applied to wireless-drivers-next.git, thanks.
a9a4c080deb3 wlcore: Fix buffer overrun by snprintf due to incorrect buffer size
--
https://patchwork.kernel.org/project/linux-wireless/patch/20210419141405.180582-1-colin.king@xxxxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
