media: siano: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
This commit is contained in:
Takashi Iwai 2020-03-11 08:46:38 +01:00 committed by Mauro Carvalho Chehab
parent 4345e2e5c7
commit af72bc8cd6
1 changed files with 110 additions and 104 deletions

View File

@ -45,88 +45,88 @@ static void smsdvb_print_dvb_stats(struct smsdvb_debugfs *debug_data,
buf = debug_data->stats_data;
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_rf_locked = %d\n", p->is_rf_locked);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_demod_locked = %d\n", p->is_demod_locked);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_external_lna_on = %d\n", p->is_external_lna_on);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"SNR = %d\n", p->SNR);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"ber = %d\n", p->ber);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"FIB_CRC = %d\n", p->FIB_CRC);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"ts_per = %d\n", p->ts_per);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"MFER = %d\n", p->MFER);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"RSSI = %d\n", p->RSSI);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"in_band_pwr = %d\n", p->in_band_pwr);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"carrier_offset = %d\n", p->carrier_offset);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"modem_state = %d\n", p->modem_state);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"frequency = %d\n", p->frequency);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"bandwidth = %d\n", p->bandwidth);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"transmission_mode = %d\n", p->transmission_mode);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"modem_state = %d\n", p->modem_state);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"guard_interval = %d\n", p->guard_interval);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"code_rate = %d\n", p->code_rate);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"lp_code_rate = %d\n", p->lp_code_rate);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"hierarchy = %d\n", p->hierarchy);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"constellation = %d\n", p->constellation);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"burst_size = %d\n", p->burst_size);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"burst_duration = %d\n", p->burst_duration);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"burst_cycle_time = %d\n", p->burst_cycle_time);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"calc_burst_cycle_time = %d\n",
p->calc_burst_cycle_time);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_rows = %d\n", p->num_of_rows);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_padd_cols = %d\n", p->num_of_padd_cols);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_punct_cols = %d\n", p->num_of_punct_cols);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"error_ts_packets = %d\n", p->error_ts_packets);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"total_ts_packets = %d\n", p->total_ts_packets);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_valid_mpe_tlbs = %d\n", p->num_of_valid_mpe_tlbs);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_invalid_mpe_tlbs = %d\n", p->num_of_invalid_mpe_tlbs);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_corrected_mpe_tlbs = %d\n", p->num_of_corrected_mpe_tlbs);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"ber_error_count = %d\n", p->ber_error_count);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"ber_bit_count = %d\n", p->ber_bit_count);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"sms_to_host_tx_errors = %d\n", p->sms_to_host_tx_errors);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"pre_ber = %d\n", p->pre_ber);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"cell_id = %d\n", p->cell_id);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"dvbh_srv_ind_hp = %d\n", p->dvbh_srv_ind_hp);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"dvbh_srv_ind_lp = %d\n", p->dvbh_srv_ind_lp);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_mpe_received = %d\n", p->num_mpe_received);
debug_data->stats_count = n;
@ -148,42 +148,42 @@ static void smsdvb_print_isdb_stats(struct smsdvb_debugfs *debug_data,
buf = debug_data->stats_data;
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"statistics_type = %d\t", p->statistics_type);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"full_size = %d\n", p->full_size);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_rf_locked = %d\t\t", p->is_rf_locked);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_demod_locked = %d\t", p->is_demod_locked);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_external_lna_on = %d\n", p->is_external_lna_on);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"SNR = %d dB\t\t", p->SNR);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"RSSI = %d dBm\t\t", p->RSSI);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"in_band_pwr = %d dBm\n", p->in_band_pwr);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"carrier_offset = %d\t", p->carrier_offset);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"bandwidth = %d\t\t", p->bandwidth);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"frequency = %d Hz\n", p->frequency);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"transmission_mode = %d\t", p->transmission_mode);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"modem_state = %d\t\t", p->modem_state);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"guard_interval = %d\n", p->guard_interval);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"system_type = %d\t\t", p->system_type);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"partial_reception = %d\t", p->partial_reception);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_layers = %d\n", p->num_of_layers);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"sms_to_host_tx_errors = %d\n", p->sms_to_host_tx_errors);
for (i = 0; i < 3; i++) {
@ -191,31 +191,34 @@ static void smsdvb_print_isdb_stats(struct smsdvb_debugfs *debug_data,
p->layer_info[i].number_of_segments > 13)
continue;
n += snprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",
p->layer_info[i].code_rate);
n += snprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",
p->layer_info[i].constellation);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",
p->layer_info[i].ber);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tber_error_count = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n,
"\tber_error_count = %-5d\t",
p->layer_info[i].ber_error_count);
n += snprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",
p->layer_info[i].ber_bit_count);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",
p->layer_info[i].pre_ber);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",
p->layer_info[i].ts_per);
n += snprintf(&buf[n], PAGE_SIZE - n, "\terror_ts_packets = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n,
"\terror_ts_packets = %-5d\t",
p->layer_info[i].error_ts_packets);
n += snprintf(&buf[n], PAGE_SIZE - n, "total_ts_packets = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n,
"total_ts_packets = %-5d\t",
p->layer_info[i].total_ts_packets);
n += snprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",
p->layer_info[i].ti_ldepth_i);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"\tnumber_of_segments = %d\t",
p->layer_info[i].number_of_segments);
n += snprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",
p->layer_info[i].tmcc_errors);
}
@ -238,44 +241,44 @@ static void smsdvb_print_isdb_stats_ex(struct smsdvb_debugfs *debug_data,
buf = debug_data->stats_data;
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"statistics_type = %d\t", p->statistics_type);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"full_size = %d\n", p->full_size);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_rf_locked = %d\t\t", p->is_rf_locked);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_demod_locked = %d\t", p->is_demod_locked);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"is_external_lna_on = %d\n", p->is_external_lna_on);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"SNR = %d dB\t\t", p->SNR);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"RSSI = %d dBm\t\t", p->RSSI);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"in_band_pwr = %d dBm\n", p->in_band_pwr);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"carrier_offset = %d\t", p->carrier_offset);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"bandwidth = %d\t\t", p->bandwidth);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"frequency = %d Hz\n", p->frequency);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"transmission_mode = %d\t", p->transmission_mode);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"modem_state = %d\t\t", p->modem_state);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"guard_interval = %d\n", p->guard_interval);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"system_type = %d\t\t", p->system_type);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"partial_reception = %d\t", p->partial_reception);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"num_of_layers = %d\n", p->num_of_layers);
n += snprintf(&buf[n], PAGE_SIZE - n, "segment_number = %d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "segment_number = %d\t",
p->segment_number);
n += snprintf(&buf[n], PAGE_SIZE - n, "tune_bw = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "tune_bw = %d\n",
p->tune_bw);
for (i = 0; i < 3; i++) {
@ -283,31 +286,34 @@ static void smsdvb_print_isdb_stats_ex(struct smsdvb_debugfs *debug_data,
p->layer_info[i].number_of_segments > 13)
continue;
n += snprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",
p->layer_info[i].code_rate);
n += snprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",
p->layer_info[i].constellation);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",
p->layer_info[i].ber);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tber_error_count = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n,
"\tber_error_count = %-5d\t",
p->layer_info[i].ber_error_count);
n += snprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",
p->layer_info[i].ber_bit_count);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",
p->layer_info[i].pre_ber);
n += snprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",
p->layer_info[i].ts_per);
n += snprintf(&buf[n], PAGE_SIZE - n, "\terror_ts_packets = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n,
"\terror_ts_packets = %-5d\t",
p->layer_info[i].error_ts_packets);
n += snprintf(&buf[n], PAGE_SIZE - n, "total_ts_packets = %-5d\t",
n += scnprintf(&buf[n], PAGE_SIZE - n,
"total_ts_packets = %-5d\t",
p->layer_info[i].total_ts_packets);
n += snprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",
p->layer_info[i].ti_ldepth_i);
n += snprintf(&buf[n], PAGE_SIZE - n,
n += scnprintf(&buf[n], PAGE_SIZE - n,
"\tnumber_of_segments = %d\t",
p->layer_info[i].number_of_segments);
n += snprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",
n += scnprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",
p->layer_info[i].tmcc_errors);
}