diff options
author | Candy Febriyanto <cfebriyanto@gmail.com> | 2021-03-01 18:00:11 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-03-10 11:25:32 +0300 |
commit | 6d108d064c27928d1bbae22c8f7f81d8efb021fb (patch) | |
tree | 8dea2930157916036e70636eff2b4a7459ecbf14 /drivers | |
parent | 2a02059e4f9ed59817d8c238f93bb8e5c58562ad (diff) | |
download | linux-6d108d064c27928d1bbae22c8f7f81d8efb021fb.tar.xz |
staging: rtl8723bs: os_dep: Replace sprintf with scnprintf
The use of sprintf with format string here means that there is a risk
that the writes will go out of bounds, replace it with scnprintf.
In one block of the translate_scan function sprintf is only called once
(it's not being used to concatenate strings) so there is no need to keep
the pointer "p", remove it.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Candy Febriyanto <cfebriyanto@gmail.com>
Link: https://lore.kernel.org/r/d76c5f1db8dbf02ac0ab954b0971ce24e5a8b9bd.1614610197.git.cfebriyanto@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers')
-rw-r--r-- | drivers/staging/rtl8723bs/os_dep/ioctl_linux.c | 23 | ||||
-rw-r--r-- | drivers/staging/rtl8723bs/os_dep/mlme_linux.c | 6 |
2 files changed, 14 insertions, 15 deletions
diff --git a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c index 41389e266f54..78ba2423ed65 100644 --- a/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/ioctl_linux.c @@ -240,9 +240,10 @@ static char *translate_scan(struct adapter *padapter, return start; if (wpa_len > 0) { p = buf; - p += sprintf(p, "wpa_ie ="); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "wpa_ie ="); for (i = 0; i < wpa_len; i++) - p += sprintf(p, "%02x", wpa_ie[i]); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), + "%02x", wpa_ie[i]); if (wpa_len > 100) { printk("-----------------Len %d----------------\n", wpa_len); @@ -265,9 +266,10 @@ static char *translate_scan(struct adapter *padapter, if (rsn_len > 0) { p = buf; memset(buf, 0, MAX_WPA_IE_LEN*2); - p += sprintf(p, "rsn_ie ="); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), "rsn_ie ="); for (i = 0; i < rsn_len; i++) - p += sprintf(p, "%02x", rsn_ie[i]); + p += scnprintf(p, (MAX_WPA_IE_LEN * 2) - (p - buf), + "%02x", rsn_ie[i]); memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; iwe.u.data.length = strlen(buf); @@ -365,17 +367,16 @@ static char *translate_scan(struct adapter *padapter, { u8 *buf; - u8 *p, *pos; + u8 *pos; buf = kzalloc(MAX_WPA_IE_LEN, GFP_ATOMIC); if (!buf) goto exit; - p = buf; + pos = pnetwork->network.Reserved; - p += sprintf(p, "fm =%02X%02X", pos[1], pos[0]); memset(&iwe, 0, sizeof(iwe)); iwe.cmd = IWEVCUSTOM; - iwe.u.data.length = strlen(buf); + iwe.u.data.length = scnprintf(buf, MAX_WPA_IE_LEN, "fm =%02X%02X", pos[1], pos[0]); start = iwe_stream_add_point(info, start, stop, &iwe, buf); kfree(buf); } @@ -5082,8 +5083,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_ case IW_PRIV_TYPE_BYTE: /* Display args */ for (j = 0; j < n; j++) { - sprintf(str, "%d ", extra[j]); - len = strlen(str); + len = scnprintf(str, sizeof(str), "%d ", extra[j]); output_len = strlen(output); if ((output_len + len + 1) > 4096) { err = -E2BIG; @@ -5096,8 +5096,7 @@ static int rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq_ case IW_PRIV_TYPE_INT: /* Display args */ for (j = 0; j < n; j++) { - sprintf(str, "%d ", ((__s32 *)extra)[j]); - len = strlen(str); + len = scnprintf(str, sizeof(str), "%d ", ((__s32 *)extra)[j]); output_len = strlen(output); if ((output_len + len + 1) > 4096) { err = -E2BIG; diff --git a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c index d46c65ab384b..20899b2cff43 100644 --- a/drivers/staging/rtl8723bs/os_dep/mlme_linux.c +++ b/drivers/staging/rtl8723bs/os_dep/mlme_linux.c @@ -159,15 +159,15 @@ void rtw_report_sec_ie(struct adapter *adapter, u8 authmode, u8 *sec_ie) } p = buff; - p += sprintf(p, "ASSOCINFO(ReqIEs ="); + p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "ASSOCINFO(ReqIEs ="); len = sec_ie[1] + 2; len = (len < IW_CUSTOM_MAX) ? len : IW_CUSTOM_MAX; for (i = 0; i < len; i++) - p += sprintf(p, "%02x", sec_ie[i]); + p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), "%02x", sec_ie[i]); - p += sprintf(p, ")"); + p += scnprintf(p, IW_CUSTOM_MAX - (p - buff), ")"); memset(&wrqu, 0, sizeof(wrqu)); |