Commit 4a348601 authored by Takashi Iwai's avatar Takashi Iwai Committed by David S. Miller

net: mlx4: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Cc: "David S . Miller" <davem@davemloft.net>
Cc: Tariq Toukan <tariqt@mellanox.com>
To: netdev@vger.kernel.org
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 13bde56c
...@@ -906,59 +906,59 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str, ...@@ -906,59 +906,59 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str,
int len = 0; int len = 0;
mlx4_err(dev, "%s", str); mlx4_err(dev, "%s", str);
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"port = %d prio = 0x%x qp = 0x%x ", "port = %d prio = 0x%x qp = 0x%x ",
rule->port, rule->priority, rule->qpn); rule->port, rule->priority, rule->qpn);
list_for_each_entry(cur, &rule->list, list) { list_for_each_entry(cur, &rule->list, list) {
switch (cur->id) { switch (cur->id) {
case MLX4_NET_TRANS_RULE_ID_ETH: case MLX4_NET_TRANS_RULE_ID_ETH:
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"dmac = %pM ", &cur->eth.dst_mac); "dmac = %pM ", &cur->eth.dst_mac);
if (cur->eth.ether_type) if (cur->eth.ether_type)
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"ethertype = 0x%x ", "ethertype = 0x%x ",
be16_to_cpu(cur->eth.ether_type)); be16_to_cpu(cur->eth.ether_type));
if (cur->eth.vlan_id) if (cur->eth.vlan_id)
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"vlan-id = %d ", "vlan-id = %d ",
be16_to_cpu(cur->eth.vlan_id)); be16_to_cpu(cur->eth.vlan_id));
break; break;
case MLX4_NET_TRANS_RULE_ID_IPV4: case MLX4_NET_TRANS_RULE_ID_IPV4:
if (cur->ipv4.src_ip) if (cur->ipv4.src_ip)
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"src-ip = %pI4 ", "src-ip = %pI4 ",
&cur->ipv4.src_ip); &cur->ipv4.src_ip);
if (cur->ipv4.dst_ip) if (cur->ipv4.dst_ip)
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"dst-ip = %pI4 ", "dst-ip = %pI4 ",
&cur->ipv4.dst_ip); &cur->ipv4.dst_ip);
break; break;
case MLX4_NET_TRANS_RULE_ID_TCP: case MLX4_NET_TRANS_RULE_ID_TCP:
case MLX4_NET_TRANS_RULE_ID_UDP: case MLX4_NET_TRANS_RULE_ID_UDP:
if (cur->tcp_udp.src_port) if (cur->tcp_udp.src_port)
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"src-port = %d ", "src-port = %d ",
be16_to_cpu(cur->tcp_udp.src_port)); be16_to_cpu(cur->tcp_udp.src_port));
if (cur->tcp_udp.dst_port) if (cur->tcp_udp.dst_port)
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"dst-port = %d ", "dst-port = %d ",
be16_to_cpu(cur->tcp_udp.dst_port)); be16_to_cpu(cur->tcp_udp.dst_port));
break; break;
case MLX4_NET_TRANS_RULE_ID_IB: case MLX4_NET_TRANS_RULE_ID_IB:
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"dst-gid = %pI6\n", cur->ib.dst_gid); "dst-gid = %pI6\n", cur->ib.dst_gid);
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"dst-gid-mask = %pI6\n", "dst-gid-mask = %pI6\n",
cur->ib.dst_gid_msk); cur->ib.dst_gid_msk);
break; break;
case MLX4_NET_TRANS_RULE_ID_VXLAN: case MLX4_NET_TRANS_RULE_ID_VXLAN:
len += snprintf(buf + len, BUF_SIZE - len, len += scnprintf(buf + len, BUF_SIZE - len,
"VNID = %d ", be32_to_cpu(cur->vxlan.vni)); "VNID = %d ", be32_to_cpu(cur->vxlan.vni));
break; break;
case MLX4_NET_TRANS_RULE_ID_IPV6: case MLX4_NET_TRANS_RULE_ID_IPV6:
break; break;
...@@ -967,7 +967,7 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str, ...@@ -967,7 +967,7 @@ static void mlx4_err_rule(struct mlx4_dev *dev, char *str,
break; break;
} }
} }
len += snprintf(buf + len, BUF_SIZE - len, "\n"); len += scnprintf(buf + len, BUF_SIZE - len, "\n");
mlx4_err(dev, "%s", buf); mlx4_err(dev, "%s", buf);
if (len >= BUF_SIZE) if (len >= BUF_SIZE)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment