Commit 86b20af1 authored by Lee Jones's avatar Lee Jones Committed by Greg Kroah-Hartman

usb: yurex: Replace snprintf() with the safer scnprintf() variant

There is a general misunderstanding amongst engineers that {v}snprintf()
returns the length of the data *actually* encoded into the destination
array.  However, as per the C99 standard {v}snprintf() really returns
the length of the data that *would have been* written if there were
enough space for it.  This misunderstanding has led to buffer-overruns
in the past.  It's generally considered safer to use the {v}scnprintf()
variants in their place (or even sprintf() in simple cases).  So let's
do that.

Whilst we're at it, let's define some magic numbers to increase
readability and ease of maintenance.

Link: https://lwn.net/Articles/69419/
Link: https://github.com/KSPP/linux/issues/105
Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Signed-off-by: default avatarLee Jones <lee@kernel.org>
Link: https://lore.kernel.org/r/20231213164246.1021885-9-lee@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent a6eef67c
...@@ -34,6 +34,8 @@ ...@@ -34,6 +34,8 @@
#define YUREX_BUF_SIZE 8 #define YUREX_BUF_SIZE 8
#define YUREX_WRITE_TIMEOUT (HZ*2) #define YUREX_WRITE_TIMEOUT (HZ*2)
#define MAX_S64_STRLEN 20 /* {-}922337203685477580{7,8} */
/* table of devices that work with this driver */ /* table of devices that work with this driver */
static struct usb_device_id yurex_table[] = { static struct usb_device_id yurex_table[] = {
{ USB_DEVICE(YUREX_VENDOR_ID, YUREX_PRODUCT_ID) }, { USB_DEVICE(YUREX_VENDOR_ID, YUREX_PRODUCT_ID) },
...@@ -401,7 +403,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, ...@@ -401,7 +403,7 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
{ {
struct usb_yurex *dev; struct usb_yurex *dev;
int len = 0; int len = 0;
char in_buffer[20]; char in_buffer[MAX_S64_STRLEN];
unsigned long flags; unsigned long flags;
dev = file->private_data; dev = file->private_data;
...@@ -412,14 +414,14 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count, ...@@ -412,14 +414,14 @@ static ssize_t yurex_read(struct file *file, char __user *buffer, size_t count,
return -ENODEV; return -ENODEV;
} }
if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN))
return -EIO;
spin_lock_irqsave(&dev->lock, flags); spin_lock_irqsave(&dev->lock, flags);
len = snprintf(in_buffer, 20, "%lld\n", dev->bbu); scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu);
spin_unlock_irqrestore(&dev->lock, flags); spin_unlock_irqrestore(&dev->lock, flags);
mutex_unlock(&dev->io_mutex); mutex_unlock(&dev->io_mutex);
if (WARN_ON_ONCE(len >= sizeof(in_buffer)))
return -EIO;
return simple_read_from_buffer(buffer, count, ppos, in_buffer, len); return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment