summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorCandy Febriyanto <cfebriyanto@gmail.com>2021-03-01 18:00:11 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-03-10 11:25:32 +0300
commit6d108d064c27928d1bbae22c8f7f81d8efb021fb (patch)
tree8dea2930157916036e70636eff2b4a7459ecbf14 /drivers
parent2a02059e4f9ed59817d8c238f93bb8e5c58562ad (diff)
downloadlinux-6d108d064c27928d1bbae22c8f7f81d8efb021fb.tar.xz
staging: rtl8723bs: os_dep: Replace sprintf with scnprintf
The use of sprintf with format string here means that there is a risk that the writes will go out of bounds, replace it with scnprintf. In one block of the translate_scan function sprintf is only called once (it's not being used to concatenate strings) so there is no need to keep the pointer "p", remove it. Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Candy Febriyanto <cfebriyanto@gmail.com> Link: https://lore.kernel.org/r/d76c5f1db8dbf02ac0ab954b0971ce24e5a8b9bd.1614610197.git.cfebriyanto@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/staging/rtl8723bs/os_dep/ioctl_linux.c23
-rw-r--r--drivers/staging/rtl8723bs/os_dep/mlme_linux.c6
2 files changed, 14 insertions, 15 deletions
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
index 41389e266f54..78ba2423ed65 100644
--- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c
@@ -240,9 +240,10 @@ static char *translate_scan(struct adapter *padapter,
return start;
if (wpa_len > 0) {
p = buf;
- p += sprintf(p, "wpa_ie =");
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "wpa_ie =");
for (i = 0; i < wpa_len; i++)
- p += sprintf(p, "%02x", wpa_ie[i]);
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf),
+ "%02x", wpa_ie[i]);
if (wpa_len > 100) {
printk("-----------------Len %d----------------\n", wpa_len);
@@ -265,9 +266,10 @@ static char *translate_scan(struct adapter *padapter,
if (rsn_len > 0) {
p = buf;
memset(buf, 0, MAX_WPA_IE_LEN*2);
- p += sprintf(p, "rsn_ie =");
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "rsn_ie =");
for (i = 0; i < rsn_len; i++)
- p += sprintf(p, "%02x", rsn_ie[i]);
+ p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf),
+ "%02x", rsn_ie[i]);
memset(&iwe, 0, sizeof(iwe));
iwe.cmd = IWEVCUSTOM;
iwe.u.data.length = strlen(buf);
@@ -365,17 +367,16 @@ static char *translate_scan(struct adapter *padapter,
{
u8 *buf;
- u8 *p, *pos;
+ u8 *pos;
buf = kzalloc(MAX_WPA_IE_LEN, GFP_ATOMIC);
if (!buf)
goto exit;
- p = buf;
+
pos = pnetwork->network.Reserved;
- p += sprintf(p, "fm =%02X%02X", pos[1], pos[0]);
memset(&iwe, 0, sizeof(iwe));
iwe.cmd = IWEVCUSTOM;
- iwe.u.data.length = strlen(buf);
+ iwe.u.data.length = scnprintf(buf, MAX_WPA_IE_LEN, "fm =%02X%02X", pos[1], pos[0]);
start = iwe_stream_add_point(info, start, stop, &iwe, buf);
kfree(buf);
}
@@ -5082,8 +5083,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_
case IW_PRIV_TYPE_BYTE:
/* Display args */
for (j = 0; j < n; j++) {
- sprintf(str, "%d ", extra[j]);
- len = strlen(str);
+ len = scnprintf(str, sizeof(str), "%d ", extra[j]);
output_len = strlen(output);
if ((output_len + len + 1) > 4096) {
err = -E2BIG;
@@ -5096,8 +5096,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_
case IW_PRIV_TYPE_INT:
/* Display args */
for (j = 0; j < n; j++) {
- sprintf(str, "%d ", ((__s32 *)extra)[j]);
- len = strlen(str);
+ len = scnprintf(str, sizeof(str), "%d ", ((__s32 *)extra)[j]);
output_len = strlen(output);
if ((output_len + len + 1) > 4096) {
err = -E2BIG;
diff --git a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
index d46c65ab384b..20899b2cff43 100644
--- a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
+++ b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c
@@ -159,15 +159,15 @@ void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie)
}
p = buff;
- p += sprintf(p, "ASSOCINFO(ReqIEs =");
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "ASSOCINFO(ReqIEs =");
len = sec_ie[1] + 2;
len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX;
for (i = 0; i < len; i++)
- p += sprintf(p, "%02x", sec_ie[i]);
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "%02x", sec_ie[i]);
- p += sprintf(p, ")");
+ p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), ")");
memset(&wrqu, 0, sizeof(wrqu));