| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231213164246.1021885-11-lee@kernel.org>
Date: Wed, 13 Dec 2023 16:42:39 +0000
From: Lee Jones <lee@...nel.org>
To: lee@...nel.org, gregkh@...uxfoundation.org
Cc: linux-kernel@...r.kernel.org, linux-usb@...r.kernel.org
Subject: [PATCH 10/12] usb: mon_text: Replace snprintf() with the safer scnprintf() variant
There is a general misunderstanding amongst engineers that {v}snprintf()
returns the length of the data *actually* encoded into the destination
array. However, as per the C99 standard {v}snprintf() really returns
the length of the data that *would have been* written if there were
enough space for it. This misunderstanding has led to buffer-overruns
in the past. It's generally considered safer to use the {v}scnprintf()
variants in their place (or even sprintf() in simple cases). So let's
do that.
Link: https://lwn.net/Articles/69419/
Link: https://github.com/KSPP/linux/issues/105
Signed-off-by: Lee Jones <lee@...nel.org>
---
drivers/usb/mon/mon_text.c | 28 +++++-----------------------
1 file changed, 5 insertions(+), 23 deletions(-)
diff --git a/drivers/usb/mon/mon_text.c b/drivers/usb/mon/mon_text.c
index 39cb141646526..2fe9b95bac1d5 100644
--- a/drivers/usb/mon/mon_text.c
+++ b/drivers/usb/mon/mon_text.c
@@ -352,7 +352,7 @@ static int mon_text_open(struct inode *inode, struct file *file)
rp->r.rnf_error = mon_text_error;
rp->r.rnf_complete = mon_text_complete;
- snprintf(rp->slab_name, SLAB_NAME_SZ, "mon_text_%p", rp);
+ scnprintf(rp->slab_name, SLAB_NAME_SZ, "mon_text_%p", rp);
rp->e_slab = kmem_cache_create(rp->slab_name,
sizeof(struct mon_event_text), sizeof(long), 0,
mon_text_ctor);
@@ -700,46 +700,28 @@ static const struct file_operations mon_fops_text_u = {
int mon_text_add(struct mon_bus *mbus, const struct usb_bus *ubus)
{
- enum { NAMESZ = 10 };
+ enum { NAMESZ = 12 };
char name[NAMESZ];
int busnum = ubus? ubus->busnum: 0;
- int rc;
if (mon_dir == NULL)
return 0;
if (ubus != NULL) {
- rc = snprintf(name, NAMESZ, "%dt", busnum);
- if (rc <= 0 || rc >= NAMESZ)
- goto err_print_t;
+ scnprintf(name, NAMESZ, "%dt", busnum);
mbus->dent_t = debugfs_create_file(name, 0600, mon_dir, mbus,
&mon_fops_text_t);
}
- rc = snprintf(name, NAMESZ, "%du", busnum);
- if (rc <= 0 || rc >= NAMESZ)
- goto err_print_u;
+ scnprintf(name, NAMESZ, "%du", busnum);
mbus->dent_u = debugfs_create_file(name, 0600, mon_dir, mbus,
&mon_fops_text_u);
- rc = snprintf(name, NAMESZ, "%ds", busnum);
- if (rc <= 0 || rc >= NAMESZ)
- goto err_print_s;
+ scnprintf(name, NAMESZ, "%ds", busnum);
mbus->dent_s = debugfs_create_file(name, 0600, mon_dir, mbus,
&mon_fops_stat);
return 1;
-
-err_print_s:
- debugfs_remove(mbus->dent_u);
- mbus->dent_u = NULL;
-err_print_u:
- if (ubus != NULL) {
- debugfs_remove(mbus->dent_t);
- mbus->dent_t = NULL;
- }
-err_print_t:
- return 0;
}
void mon_text_del(struct mon_bus *mbus)
--
2.43.0.472.g3155946c3a-goog
Powered by blists - more mailing lists