[PATCH] tty: serial: pch_uart: Use scnprintf() for avoiding potential buffer overflow

From: Takashi Iwai
Date: Wed Mar 11 2020 - 05:29:35 EST


Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit. Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@xxxxxxx>
---
drivers/tty/serial/pch_uart.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c
index 0a96217dba67..40fa7a27722d 100644
--- a/drivers/tty/serial/pch_uart.c
+++ b/drivers/tty/serial/pch_uart.c
@@ -310,32 +310,32 @@ static ssize_t port_show_regs(struct file *file, char __user *user_buf,
if (!buf)
return 0;

- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"PCH EG20T port[%d] regs:\n", priv->port.line);

- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"=================================\n");
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"IER: \t0x%02x\n", ioread8(priv->membase + UART_IER));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"IIR: \t0x%02x\n", ioread8(priv->membase + UART_IIR));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"LCR: \t0x%02x\n", ioread8(priv->membase + UART_LCR));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"MCR: \t0x%02x\n", ioread8(priv->membase + UART_MCR));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"LSR: \t0x%02x\n", ioread8(priv->membase + UART_LSR));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"MSR: \t0x%02x\n", ioread8(priv->membase + UART_MSR));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"BRCSR: \t0x%02x\n",
ioread8(priv->membase + PCH_UART_BRCSR));

lcr = ioread8(priv->membase + UART_LCR);
iowrite8(PCH_UART_LCR_DLAB, priv->membase + UART_LCR);
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"DLL: \t0x%02x\n", ioread8(priv->membase + UART_DLL));
- len += snprintf(buf + len, PCH_REGS_BUFSIZE - len,
+ len += scnprintf(buf + len, PCH_REGS_BUFSIZE - len,
"DLM: \t0x%02x\n", ioread8(priv->membase + UART_DLM));
iowrite8(lcr, priv->membase + UART_LCR);

--
2.16.4