wlcore: Fix buffer overrun by snprintf due to incorrect buffer size

The size of the buffer than can be written to is currently incorrect, it is always the size of the entire buffer even though the snprintf is writing as position pos into the buffer. Fix this by setting the buffer size to be the number of bytes left in the buffer, namely sizeof(buf) - pos. Addresses-Coverity: ("Out-of-bounds access") Fixes: 7b0e2c4f6b ("wlcore: fix overlapping snprintf arguments in debugfs") Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.com
2021-04-19 15:14:05 +01:00 · 2021-04-19 15:14:05 +01:00 · a9a4c080de
--- a/drivers/net/wireless/ti/wlcore/debugfs.h
+++ b/drivers/net/wireless/ti/wlcore/debugfs.h
@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file,		\
 	wl1271_debugfs_update_stats(wl);				\
 									\
 	for (i = 0; i < len && pos < sizeof(buf); i++)			\
-		pos += snprintf(buf + pos, sizeof(buf),			\
+		pos += snprintf(buf + pos, sizeof(buf) - pos,		\
 			 "[%d] = %d\n", i, stats->sub.name[i]);		\
 									\
 	return wl1271_format_buffer(userbuf, count, ppos, "%s", buf);	\