From caa47cc639470485ee0ae3c76d56ccf4cfda2045 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 11 Mar 2020 10:29:05 +0100 Subject: [PATCH] tty: nozomi: Use scnprintf() for avoiding potential buffer overflow Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Also rewrite the code in a standard if-form instead of ugly conditional operators. Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20200311092905.24362-1-tiwai@suse.de Signed-off-by: Greg Kroah-Hartman --- drivers/tty/nozomi.c | 57 ++++++++++++++++++++++---------------------- 1 file changed, 28 insertions(+), 29 deletions(-) diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c index 4b82ec30c789..d42b854cb7df 100644 --- a/drivers/tty/nozomi.c +++ b/drivers/tty/nozomi.c @@ -839,40 +839,39 @@ static char *interrupt2str(u16 interrupt) static char buf[TMP_BUF_MAX]; char *p = buf; - interrupt & MDM_DL1 ? p += snprintf(p, TMP_BUF_MAX, "MDM_DL1 ") : NULL; - interrupt & MDM_DL2 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "MDM_DL2 ") : NULL; + if (interrupt & MDM_DL1) + p += scnprintf(p, TMP_BUF_MAX, "MDM_DL1 "); + if (interrupt & MDM_DL2) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "MDM_DL2 "); + if (interrupt & MDM_UL1) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "MDM_UL1 "); + if (interrupt & MDM_UL2) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "MDM_UL2 "); + if (interrupt & DIAG_DL1) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "DIAG_DL1 "); + if (interrupt & DIAG_DL2) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "DIAG_DL2 "); - interrupt & MDM_UL1 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "MDM_UL1 ") : NULL; - interrupt & MDM_UL2 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "MDM_UL2 ") : NULL; + if (interrupt & DIAG_UL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "DIAG_UL "); - interrupt & DIAG_DL1 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "DIAG_DL1 ") : NULL; - interrupt & DIAG_DL2 ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "DIAG_DL2 ") : NULL; + if (interrupt & APP1_DL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP1_DL "); + if (interrupt & APP2_DL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP2_DL "); - interrupt & DIAG_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "DIAG_UL ") : NULL; + if (interrupt & APP1_UL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP1_UL "); + if (interrupt & APP2_UL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "APP2_UL "); - interrupt & APP1_DL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "APP1_DL ") : NULL; - interrupt & APP2_DL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "APP2_DL ") : NULL; + if (interrupt & CTRL_DL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "CTRL_DL "); + if (interrupt & CTRL_UL) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "CTRL_UL "); - interrupt & APP1_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "APP1_UL ") : NULL; - interrupt & APP2_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "APP2_UL ") : NULL; - - interrupt & CTRL_DL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "CTRL_DL ") : NULL; - interrupt & CTRL_UL ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "CTRL_UL ") : NULL; - - interrupt & RESET ? p += snprintf(p, TMP_BUF_MAX - (p - buf), - "RESET ") : NULL; + if (interrupt & RESET) + p += scnprintf(p, TMP_BUF_MAX - (p - buf), "RESET "); return buf; }