diff options
author | Nick Desaulniers <ndesaulniers@google.com> | 2019-08-15 16:46:04 -0700 |
---|---|---|
committer | Nick Desaulniers <ndesaulniers@google.com> | 2019-08-22 20:17:16 -0700 |
commit | bbe9ce900bc6923741e260f8b96089b928960fc7 (patch) | |
tree | 0c0622cf7a64264622daf6b759e87e2d161caddb | |
parent | a655a9bb6eaf12319e658ae25c37ba7084d7c302 (diff) | |
download | msm-extra-bbe9ce900bc6923741e260f8b96089b928960fc7.tar.gz |
ASoC: wsa881x: fix buffer overflow
Clang-r365631 is reporting:
asoc/codecs/wsa881x.c:392:9: error: 'snprintf' size argument is too
large; destination buffer has size 20, but size argument is 25
[-Werror,-Wfortify-source]
len = snprintf(tmp_buf, 25, "0x%.3x: 0x%.2x\n", i,
^
Since tmp_buf is only 20B, and the format string should only be 13B by
my count, use the actual ARRAY_SIZE.
Make sure to zero the buffer first, as it's passed to copy_to_user.
Prefer scnprintf which returns the amount of bytes written.
Bug: 139442076
Change-Id: I3796c702966310aa921ad8be81afba7bfd7b853c
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
-rw-r--r-- | asoc/codecs/wsa881x.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/asoc/codecs/wsa881x.c b/asoc/codecs/wsa881x.c index d2a3938a..d10ccdde 100644 --- a/asoc/codecs/wsa881x.c +++ b/asoc/codecs/wsa881x.c @@ -383,14 +383,15 @@ static ssize_t wsa881x_swrslave_reg_show(char __user *ubuf, size_t count, if (!ubuf || !ppos || (devnum == 0)) return 0; + memset(tmp_buf, 0, ARRAY_SIZE(tmp_buf)); for (i = (((int) *ppos / BYTES_PER_LINE) + SWR_SLV_START_REG_ADDR); i <= SWR_SLV_MAX_REG_ADDR; i++) { if (!is_swr_slv_reg_readable(i)) continue; swr_read(dbgwsa881x->swr_slave, devnum, i, ®_val, 1); - len = snprintf(tmp_buf, 25, "0x%.3x: 0x%.2x\n", i, - (reg_val & 0xFF)); + len = scnprintf(tmp_buf, ARRAY_SIZE(tmp_buf), + "0x%.3x: 0x%.2x\n", i, (reg_val & 0xFF)); if ((total + len) >= count - 1) break; if (copy_to_user((ubuf + total), tmp_buf, len)) { |