Thread (28 messages) 28 messages, 10 authors, 2014-01-29

Re: [PATCH RFC 1/6] net: rfkill: gpio: fix gpio name buffer size off by 1

From: Chen-Yu Tsai <hidden>
Date: 2014-01-17 09:59:56
Also in: linux-arm-kernel, linux-wireless, lkml, netdev 

On Fri, Jan 17, 2014 at 5:46 PM, David Laight [off-list ref] wrote:
From: Chen-Yu Tsai
quoted
snprintf should be passed the complete size of the buffer, including
the space for '\0'. The previous code resulted in the *_reset and
*_shutdown strings being truncated.
...
quoted
diff --git a/net/rfkill/rfkill-gpio.c b/net/rfkill/rfkill-gpio.c
...
quoted
-     snprintf(rfkill->reset_name, len + 6 , "%s_reset", rfkill->name);
-     snprintf(rfkill->shutdown_name, len + 9, "%s_shutdown", rfkill->name);
+     snprintf(rfkill->reset_name, len + 7 , "%s_reset", rfkill->name);
+     snprintf(rfkill->shutdown_name, len + 10, "%s_shutdown", rfkill->name);
I can't find the context for the above, but they look very dubious.
I'd expect: snprintf(foo, sizeof foo, ...).
If you are trying to truncate rfkill->name you need to use %.*s.
The driver allocates these buffers on the fly, a few lines above:

        len = strlen(rfkill->name);
        rfkill->reset_name = devm_kzalloc(&pdev->dev, len + 7, GFP_KERNEL);
        rfkill->shutdown_name = devm_kzalloc(&pdev->dev, len + 10, GFP_KERNEL);

I am not trying to truncate rfkill->name. Rather, the buffer length passed
to snprintf was wrong, so the resulting name was truncated by one character.


Thanks,
ChenYu
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help