Commit af72bc8c authored by Takashi Iwai's avatar Takashi Iwai Committed by Mauro Carvalho Chehab
Browse files

media: siano: Use scnprintf() for avoiding potential buffer overflow 



Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarSean Young <sean@mess.org>
Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
parent 4345e2e5

drivers/media/common/siano/smsdvb-debugfs.c

+110 −104
Original line number Diff line number Diff line
@@ -45,88 +45,88 @@ static void smsdvb_print_dvb_stats(struct smsdvb_debugfs *debug_data, 


	buf = debug_data->stats_data;



	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_rf_locked = %d\n", p->is_rf_locked);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_demod_locked = %d\n", p->is_demod_locked);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_external_lna_on = %d\n", p->is_external_lna_on);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "SNR = %d\n", p->SNR);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "ber = %d\n", p->ber);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "FIB_CRC = %d\n", p->FIB_CRC);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "ts_per = %d\n", p->ts_per);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "MFER = %d\n", p->MFER);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "RSSI = %d\n", p->RSSI);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "in_band_pwr = %d\n", p->in_band_pwr);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "carrier_offset = %d\n", p->carrier_offset);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "modem_state = %d\n", p->modem_state);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "frequency = %d\n", p->frequency);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "bandwidth = %d\n", p->bandwidth);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "transmission_mode = %d\n", p->transmission_mode);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "modem_state = %d\n", p->modem_state);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "guard_interval = %d\n", p->guard_interval);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "code_rate = %d\n", p->code_rate);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "lp_code_rate = %d\n", p->lp_code_rate);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "hierarchy = %d\n", p->hierarchy);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "constellation = %d\n", p->constellation);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "burst_size = %d\n", p->burst_size);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "burst_duration = %d\n", p->burst_duration);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "burst_cycle_time = %d\n", p->burst_cycle_time);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "calc_burst_cycle_time = %d\n",

		      p->calc_burst_cycle_time);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_rows = %d\n", p->num_of_rows);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_padd_cols = %d\n", p->num_of_padd_cols);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_punct_cols = %d\n", p->num_of_punct_cols);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "error_ts_packets = %d\n", p->error_ts_packets);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "total_ts_packets = %d\n", p->total_ts_packets);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_valid_mpe_tlbs = %d\n", p->num_of_valid_mpe_tlbs);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_invalid_mpe_tlbs = %d\n", p->num_of_invalid_mpe_tlbs);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_corrected_mpe_tlbs = %d\n", p->num_of_corrected_mpe_tlbs);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "ber_error_count = %d\n", p->ber_error_count);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "ber_bit_count = %d\n", p->ber_bit_count);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "sms_to_host_tx_errors = %d\n", p->sms_to_host_tx_errors);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "pre_ber = %d\n", p->pre_ber);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "cell_id = %d\n", p->cell_id);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "dvbh_srv_ind_hp = %d\n", p->dvbh_srv_ind_hp);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "dvbh_srv_ind_lp = %d\n", p->dvbh_srv_ind_lp);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_mpe_received = %d\n", p->num_mpe_received);



	debug_data->stats_count = n;
@@ -148,42 +148,42 @@ static void smsdvb_print_isdb_stats(struct smsdvb_debugfs *debug_data, 


	buf = debug_data->stats_data;



	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "statistics_type = %d\t", p->statistics_type);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "full_size = %d\n", p->full_size);



	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_rf_locked = %d\t\t", p->is_rf_locked);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_demod_locked = %d\t", p->is_demod_locked);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_external_lna_on = %d\n", p->is_external_lna_on);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "SNR = %d dB\t\t", p->SNR);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "RSSI = %d dBm\t\t", p->RSSI);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "in_band_pwr = %d dBm\n", p->in_band_pwr);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "carrier_offset = %d\t", p->carrier_offset);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "bandwidth = %d\t\t", p->bandwidth);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "frequency = %d Hz\n", p->frequency);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "transmission_mode = %d\t", p->transmission_mode);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "modem_state = %d\t\t", p->modem_state);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "guard_interval = %d\n", p->guard_interval);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "system_type = %d\t\t", p->system_type);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "partial_reception = %d\t", p->partial_reception);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_layers = %d\n", p->num_of_layers);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "sms_to_host_tx_errors = %d\n", p->sms_to_host_tx_errors);



	for (i = 0; i < 3; i++) {
@@ -191,31 +191,34 @@ static void smsdvb_print_isdb_stats(struct smsdvb_debugfs *debug_data, 
		    p->layer_info[i].number_of_segments > 13)

			continue;



		n += snprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",

			      p->layer_info[i].code_rate);

		n += snprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",

			      p->layer_info[i].constellation);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",

			      p->layer_info[i].ber);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tber_error_count = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "\tber_error_count = %-5d\t",

			      p->layer_info[i].ber_error_count);

		n += snprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",

			      p->layer_info[i].ber_bit_count);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",

			      p->layer_info[i].pre_ber);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",

			      p->layer_info[i].ts_per);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\terror_ts_packets = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "\terror_ts_packets = %-5d\t",

			      p->layer_info[i].error_ts_packets);

		n += snprintf(&buf[n], PAGE_SIZE - n, "total_ts_packets = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "total_ts_packets = %-5d\t",

			      p->layer_info[i].total_ts_packets);

		n += snprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",

			      p->layer_info[i].ti_ldepth_i);

		n += snprintf(&buf[n], PAGE_SIZE - n,

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "\tnumber_of_segments = %d\t",

			      p->layer_info[i].number_of_segments);

		n += snprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",

			      p->layer_info[i].tmcc_errors);

	}
@@ -238,44 +241,44 @@ static void smsdvb_print_isdb_stats_ex(struct smsdvb_debugfs *debug_data, 


	buf = debug_data->stats_data;



	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "statistics_type = %d\t", p->statistics_type);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "full_size = %d\n", p->full_size);



	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_rf_locked = %d\t\t", p->is_rf_locked);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_demod_locked = %d\t", p->is_demod_locked);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "is_external_lna_on = %d\n", p->is_external_lna_on);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "SNR = %d dB\t\t", p->SNR);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "RSSI = %d dBm\t\t", p->RSSI);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "in_band_pwr = %d dBm\n", p->in_band_pwr);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "carrier_offset = %d\t", p->carrier_offset);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "bandwidth = %d\t\t", p->bandwidth);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "frequency = %d Hz\n", p->frequency);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "transmission_mode = %d\t", p->transmission_mode);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "modem_state = %d\t\t", p->modem_state);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "guard_interval = %d\n", p->guard_interval);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "system_type = %d\t\t", p->system_type);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "partial_reception = %d\t", p->partial_reception);

	n += snprintf(&buf[n], PAGE_SIZE - n,

	n += scnprintf(&buf[n], PAGE_SIZE - n,

		      "num_of_layers = %d\n", p->num_of_layers);

	n += snprintf(&buf[n], PAGE_SIZE - n, "segment_number = %d\t",

	n += scnprintf(&buf[n], PAGE_SIZE - n, "segment_number = %d\t",

		      p->segment_number);

	n += snprintf(&buf[n], PAGE_SIZE - n, "tune_bw = %d\n",

	n += scnprintf(&buf[n], PAGE_SIZE - n, "tune_bw = %d\n",

		      p->tune_bw);



	for (i = 0; i < 3; i++) {
@@ -283,31 +286,34 @@ static void smsdvb_print_isdb_stats_ex(struct smsdvb_debugfs *debug_data, 
		    p->layer_info[i].number_of_segments > 13)

			continue;



		n += snprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\nLayer %d\n", i);

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tcode_rate = %d\t",

			      p->layer_info[i].code_rate);

		n += snprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "constellation = %d\n",

			      p->layer_info[i].constellation);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tber = %-5d\t",

			      p->layer_info[i].ber);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tber_error_count = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "\tber_error_count = %-5d\t",

			      p->layer_info[i].ber_error_count);

		n += snprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "ber_bit_count = %-5d\n",

			      p->layer_info[i].ber_bit_count);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tpre_ber = %-5d\t",

			      p->layer_info[i].pre_ber);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "\tts_per = %-5d\n",

			      p->layer_info[i].ts_per);

		n += snprintf(&buf[n], PAGE_SIZE - n, "\terror_ts_packets = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "\terror_ts_packets = %-5d\t",

			      p->layer_info[i].error_ts_packets);

		n += snprintf(&buf[n], PAGE_SIZE - n, "total_ts_packets = %-5d\t",

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "total_ts_packets = %-5d\t",

			      p->layer_info[i].total_ts_packets);

		n += snprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "ti_ldepth_i = %d\n",

			      p->layer_info[i].ti_ldepth_i);

		n += snprintf(&buf[n], PAGE_SIZE - n,

		n += scnprintf(&buf[n], PAGE_SIZE - n,

			      "\tnumber_of_segments = %d\t",

			      p->layer_info[i].number_of_segments);

		n += snprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",

		n += scnprintf(&buf[n], PAGE_SIZE - n, "tmcc_errors = %d\n",

			      p->layer_info[i].tmcc_errors);

	}