iio: tsl2772: Use scnprintf() for avoiding potential buffer overflow

snprintf() is a hard-to-use function, it's especially difficult to use
it for concatenating substrings in a buffer with a limited size.
Since snprintf() returns the would-be-output size, not the actual
size, the subsequent use of snprintf() may go beyond the given limit
easily.  Although the current code doesn't actually overflow the
buffer, it's an incorrect usage.

This patch replaces such snprintf() calls with a safer version,
scnprintf().

Also this fixes the incorrect argument of the buffer limit size passed
to snprintf(), too.  The size has to be decremented for the remaining
length.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-by: Brian Masney <masneyb@onstation.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
This commit is contained in:
Takashi Iwai 2020-03-16 13:49:41 +01:00 коммит произвёл Jonathan Cameron
Родитель bf09cddb2c
Коммит 3dee042628
1 изменённых файлов: 3 добавлений и 3 удалений

Просмотреть файл

@ -932,7 +932,7 @@ static ssize_t in_illuminance0_target_input_show(struct device *dev,
{
struct tsl2772_chip *chip = iio_priv(dev_to_iio_dev(dev));
return snprintf(buf, PAGE_SIZE, "%d\n", chip->settings.als_cal_target);
return scnprintf(buf, PAGE_SIZE, "%d\n", chip->settings.als_cal_target);
}
static ssize_t in_illuminance0_target_input_store(struct device *dev,
@ -986,7 +986,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
int offset = 0;
while (i < TSL2772_MAX_LUX_TABLE_SIZE) {
offset += snprintf(buf + offset, PAGE_SIZE, "%u,%u,",
offset += scnprintf(buf + offset, PAGE_SIZE - offset, "%u,%u,",
chip->tsl2772_device_lux[i].ch0,
chip->tsl2772_device_lux[i].ch1);
if (chip->tsl2772_device_lux[i].ch0 == 0) {
@ -1000,7 +1000,7 @@ static ssize_t in_illuminance0_lux_table_show(struct device *dev,
i++;
}
offset += snprintf(buf + offset, PAGE_SIZE, "\n");
offset += scnprintf(buf + offset, PAGE_SIZE - offset, "\n");
return offset;
}