aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLee Jones <[email protected]>2023-12-13 16:42:37 +0000
committerGreg Kroah-Hartman <[email protected]>2023-12-15 13:55:30 +0100
commit86b20af11e84c26ae3fde4dcc4f490948e3f8035 (patch)
tree86d95f96fa9ac1ff44571ad3c1dfda7df8ace061
parenta6eef67cdb84e06112fc29176d6c6061d3ea8d79 (diff)
usb: yurex: Replace snprintf() with the safer scnprintf() variant
There is a general misunderstanding amongst engineers that {v}snprintf() returns the length of the data *actually* encoded into the destination array. However, as per the C99 standard {v}snprintf() really returns the length of the data that *would have been* written if there were enough space for it. This misunderstanding has led to buffer-overruns in the past. It's generally considered safer to use the {v}scnprintf() variants in their place (or even sprintf() in simple cases). So let's do that. Whilst we're at it, let's define some magic numbers to increase readability and ease of maintenance. Link: https://lwn.net/Articles/69419/ Link: https://github.com/KSPP/linux/issues/105 Cc: Tomoki Sekiyama <[email protected]> Signed-off-by: Lee Jones <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman <[email protected]>
Diffstat
-rw-r--r--drivers/usb/misc/yurex.c12
1 files changed, 7 insertions, 5 deletions
diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index c640f98d20c5..5a13cddace0e 100644
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -34,6 +34,8 @@
#define YUREX_BUF_SIZE 8
#define YUREX_WRITE_TIMEOUT (HZ*2)
+#define MAX_S64_STRLEN 20 /* {-}922337203685477580{7,8} */
+
/* table of devices that work with this driver */
static struct usb_device_id yurex_table[] = {
{ USB_DEVICE(YUREX_VENDOR_ID, YUREX_PRODUCT_ID) },
@@ -401,7 +403,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
{
struct usb_yurex *dev;
int len = 0;
- char in_buffer[20];
+ char in_buffer[MAX_S64_STRLEN];
unsigned long flags;
dev = file->private_data;
@@ -412,14 +414,14 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
return -ENODEV;
}
+ if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN))
+ return -EIO;
+
spin_lock_irqsave(&dev->lock, flags);
- len = snprintf(in_buffer, 20, "%lld\n", dev->bbu);
+ scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu);
spin_unlock_irqrestore(&dev->lock, flags);
mutex_unlock(&dev->io_mutex);
- if (WARN_ON_ONCE(len >= sizeof(in_buffer)))
- return -EIO;
-
return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
}
Powered by cgit, Gruvboxed by Blaster4385.