It seems that the following idiom is pretty common in the kernel: res += snprintf(buf + res, sizeof(buf) - res, "string1"); res += snprintf(buf + res, sizeof(buf) - res, "string2"); ... However, since snprintf returns "the number of characters which would be generated for the given input" the return value must be checked against the buffer size in order to avoid writing past the buffer bounds. Fix it by replacing snprintf with scnprintf, to make the original code work as expected. (As noted, it seems that this error exists in many other places in the kernel. it can be found by git grep "\+=\s*snprintf". However, these places are mostly in debugging code, so the security implications are hopefully minor. I haven't reviewed them all, though...) Eliad Peller (2): cfg80211: replace snprintf with scnprintf mac80211: replace snprintf with scnprintf net/mac80211/debugfs.c | 48 ++++++++++++++++++------------------ net/mac80211/debugfs_netdev.c | 10 +++--- net/mac80211/rc80211_pid_debugfs.c | 26 +++++++++--------- net/wireless/debugfs.c | 25 +++++++++--------- 4 files changed, 54 insertions(+), 55 deletions(-) -- 1.7.6.401.g6a319 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
