Colin King [off-list ref] wrote:

From: Colin Ian King <redacted>

The size of the buffer than can be written to is currently incorrect, it is
always the size of the entire buffer even though the snprintf is writing
as position pos into the buffer. Fix this by setting the buffer size to be
the number of bytes left in the buffer, namely sizeof(buf) - pos.

Addresses-Coverity: ("Out-of-bounds access")
Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs")
Signed-off-by: Colin Ian King <redacted>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>

Patch applied to wireless-drivers-next.git, thanks.

a9a4c080deb3 wlcore: Fix buffer overrun by snprintf due to incorrect buffer size

-- 
https://patchwork.kernel.org/project/linux-wireless/patch/20210419141405.180582-1-colin.king@canonical.com/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches