On Wed, Mar 11, 2020 at 10:35:52AM +0100, Takashi Iwai wrote:
> Since snprintf() returns the would-be-output size instead of the
> actual output size, the succeeding calls may go beyond the given
> buffer limit. Fix it by replacing with scnprintf().
> Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
The 'c' in 'scnprintf' means that it returns the number of bytes written
into the buffer (not including the \0) instead of the number of bytes
that /would/ have been written provided there was enough space, right?
If so,
Reviewed-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
--D
> ---
> fs/xfs/xfs_stats.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/fs/xfs/xfs_stats.c b/fs/xfs/xfs_stats.c
> index 113883c4f202..f70f1255220b 100644
> --- a/fs/xfs/xfs_stats.c
> +++ b/fs/xfs/xfs_stats.c
> @@ -57,13 +57,13 @@ int xfs_stats_format(struct xfsstats __percpu *stats, char *buf)
> /* Loop over all stats groups */
>
> for (i = j = 0; i < ARRAY_SIZE(xstats); i++) {
> - len += snprintf(buf + len, PATH_MAX - len, "%s",
> + len += scnprintf(buf + len, PATH_MAX - len, "%s",
> xstats[i].desc);
> /* inner loop does each group */
> for (; j < xstats[i].endpoint; j++)
> - len += snprintf(buf + len, PATH_MAX - len, " %u",
> + len += scnprintf(buf + len, PATH_MAX - len, " %u",
> counter_val(stats, j));
> - len += snprintf(buf + len, PATH_MAX - len, "\n");
> + len += scnprintf(buf + len, PATH_MAX - len, "\n");
> }
> /* extra precision counters */
> for_each_possible_cpu(i) {
> @@ -72,9 +72,9 @@ int xfs_stats_format(struct xfsstats __percpu *stats, char *buf)
> xs_read_bytes += per_cpu_ptr(stats, i)->s.xs_read_bytes;
> }
>
> - len += snprintf(buf + len, PATH_MAX-len, "xpc %Lu %Lu %Lu\n",
> + len += scnprintf(buf + len, PATH_MAX-len, "xpc %Lu %Lu %Lu\n",
> xs_xstrat_bytes, xs_write_bytes, xs_read_bytes);
> - len += snprintf(buf + len, PATH_MAX-len, "debug %u\n",
> + len += scnprintf(buf + len, PATH_MAX-len, "debug %u\n",
> #if defined(DEBUG)
> 1);
> #else
> --
> 2.16.4
>
