lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <ZxYOnqRue6zpaWl8@smile.fi.intel.com>
Date: Mon, 21 Oct 2024 11:19:42 +0300
From: Andy Shevchenko <andriy.shevchenko@...ux.intel.com>
To: Takashi Iwai <tiwai@...e.de>
Cc: Baojun Xu <baojun.xu@...com>, robh+dt@...nel.org, lgirdwood@...il.com,
	perex@...ex.cz, pierre-louis.bossart@...ux.intel.com,
	shenghao-ding@...com, navada@...com, 13916275206@....com,
	v-hampiholi@...com, v-po@...com, linux-sound@...r.kernel.org,
	linux-kernel@...r.kernel.org, liam.r.girdwood@...el.com,
	yung-chuan.liao@...ux.intel.com, broonie@...nel.org,
	antheas.dk@...il.com
Subject: Re: [PATCH v2] ALSA: hda/tas2781: Add speaker id check for ASUS
 projects

On Mon, Oct 21, 2024 at 09:19:19AM +0200, Takashi Iwai wrote:
> On Fri, 18 Oct 2024 14:31:05 +0200,
> Andy Shevchenko wrote:
> > On Fri, Oct 18, 2024 at 03:11:18PM +0800, Baojun Xu wrote:

...

> > > +			// Speaker id is not valid, use default.
> > > +			dev_dbg(tas_priv->dev, "Wrong spk_id = %d\n", spk_id);
> > > +			spk_id = 0;
> > > +		}
> > > +		scnprintf(tas_priv->coef_binaryname,
> > 
> > Why 'c' variant? You do not check the return value anyway. So, what's the point?
> 
> There is a difference between snprintf() and scnprintf().
> With W=1, the compiler (at least the recent gcc version) will warn you
> when the string truncation may happen in the former case while not
> complaining for the latter.
> So, when the truncation is intentional and acceptable (that's
> certainly most cases), the use of scnprintf() will result in less
> warnings.

Yes, which is a papering over the potential problem, right?
I agree that in this case it might be not critical or even
practical to check for an error, but in general the whole lot
of s*nprintf() should be used with this is in mind.

-- 
With Best Regards,
Andy Shevchenko



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ