commit db0589f3b9443f2b57ea6daaec09c1ab0ac99cb0
author Abhijeet Kolekar <abhijeet.kolekar@intel.com> Mon Apr 14 21:16:04 2008 -0700
committer John W. Linville <linville@tuxdriver.com> Wed Apr 16 15:59:57 2008 -0400
tree 4c7987bac93d334849f055929995c05090bfe5bb
parent 57aab75a39089744aba4bd126df2de526481b128

iwlwifi: replace sprintf with scnprintf for debugfs output

The buffersize allocated is not accurate.
Writing to these buffers with scnprintf is safer.

Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

drivers/net/wireless/iwlwifi/iwl-debugfs.c

diff --git a/drivers/net/wireless/iwlwifi/iwl-debugfs.c b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
index 23632e5..cbea477 100644
--- a/drivers/net/wireless/iwlwifi/iwl-debugfs.c
+++ b/drivers/net/wireless/iwlwifi/iwl-debugfs.c
@@ -102,10 +102,14 @@
 	struct iwl_priv *priv = (struct iwl_priv *)file->private_data;
 	char buf[256];
 	int pos = 0;
+	const size_t bufsz = sizeof(buf);
 
-	pos += sprintf(buf+pos, "mgmt: %u\n", priv->tx_stats[0].cnt);
-	pos += sprintf(buf+pos, "ctrl: %u\n", priv->tx_stats[1].cnt);
-	pos += sprintf(buf+pos, "data: %u\n", priv->tx_stats[2].cnt);
+	pos += scnprintf(buf + pos, bufsz - pos, "mgmt: %u\n",
+						priv->tx_stats[0].cnt);
+	pos += scnprintf(buf + pos, bufsz - pos, "ctrl: %u\n",
+						priv->tx_stats[1].cnt);
+	pos += scnprintf(buf + pos, bufsz - pos, "data: %u\n",
+						priv->tx_stats[2].cnt);
 
 	return simple_read_from_buffer(user_buf, count, ppos, buf, pos);
 }
@@ -117,10 +121,14 @@
 	struct iwl_priv *priv = (struct iwl_priv *)file->private_data;
 	char buf[256];
 	int pos = 0;
+	const size_t bufsz = sizeof(buf);
 
-	pos += sprintf(buf+pos, "mgmt: %u\n", priv->rx_stats[0].cnt);
-	pos += sprintf(buf+pos, "ctrl: %u\n", priv->rx_stats[1].cnt);
-	pos += sprintf(buf+pos, "data: %u\n", priv->rx_stats[2].cnt);
+	pos += scnprintf(buf + pos, bufsz - pos, "mgmt: %u\n",
+						priv->rx_stats[0].cnt);
+	pos += scnprintf(buf + pos, bufsz - pos, "ctrl: %u\n",
+						priv->rx_stats[1].cnt);
+	pos += scnprintf(buf + pos, bufsz - pos, "data: %u\n",
+						priv->rx_stats[2].cnt);
 
 	return simple_read_from_buffer(user_buf, count, ppos, buf, pos);
 }
@@ -138,6 +146,7 @@
 	int i;
 	int pos = 0;
 	struct iwl_priv *priv = (struct iwl_priv *)file->private_data;
+	const size_t bufsz = sizeof(buf);
 
 	printk(KERN_DEBUG "offset is: 0x%x\tlen is: 0x%x\n",
 	priv->dbgfs->sram_offset, priv->dbgfs->sram_len);
@@ -159,9 +168,9 @@
 				break;
 			}
 		}
-		pos += sprintf(buf+pos, "0x%08x ", val);
+		pos += scnprintf(buf + pos, bufsz - pos, "0x%08x ", val);
 	}
-	pos += sprintf(buf+pos, "\n");
+	pos += scnprintf(buf + pos, bufsz - pos, "\n");
 	iwl_release_nic_access(priv);
 
 	ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos);
@@ -210,44 +219,50 @@
 	if(!buf)
 		return -ENOMEM;
 
-	pos += sprintf(buf+pos, "num of stations: %d\n\n",
+	pos += scnprintf(buf + pos, bufsz - pos, "num of stations: %d\n\n",
 			priv->num_stations);
 
 	for (i = 0; i < max_sta; i++) {
 		station = &priv->stations[i];
 		if (station->used) {
-			pos += sprintf(buf+pos, "station %d:\ngeneral data:\n",
-					i+1);
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"station %d:\ngeneral data:\n", i+1);
 			print_mac(mac, station->sta.sta.addr);
-			pos += sprintf(buf+pos, "id: %u\n",
+			pos += scnprintf(buf + pos, bufsz - pos, "id: %u\n",
 					station->sta.sta.sta_id);
-			pos += sprintf(buf+pos, "mode: %u\n",
+			pos += scnprintf(buf + pos, bufsz - pos, "mode: %u\n",
 					station->sta.mode);
-			pos += sprintf(buf+pos, "flags: 0x%x\n",
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"flags: 0x%x\n",
 					station->sta.station_flags_msk);
-			pos += sprintf(buf+pos, "ps_status: %u\n",
-					station->ps_status);
-
-			pos += sprintf(buf+pos, "tid data:\n");
-
-			pos += sprintf(buf+pos, "seq_num\t\ttxq_id\t");
-			pos += sprintf(buf+pos, "frame_count\twait_for_ba\t");
-			pos += sprintf(buf+pos, "start_idx\tbitmap0\t");
-			pos += sprintf(buf+pos, "bitmap1\trate_n_flags\n");
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"ps_status: %u\n", station->ps_status);
+			pos += scnprintf(buf + pos, bufsz - pos, "tid data:\n");
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"seq_num\t\ttxq_id\t");
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"frame_count\twait_for_ba\t");
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"start_idx\tbitmap0\t");
+			pos += scnprintf(buf + pos, bufsz - pos,
+					"bitmap1\trate_n_flags\n");
 
 			for (j = 0; j < MAX_TID_COUNT; j++) {
-				pos += sprintf(buf+pos, "[%d]:\t\t%u\t",
-						j, station->tid[j].seq_number);
-				pos += sprintf(buf+pos, "%u\t\t%u\t\t%u\t\t",
+				pos += scnprintf(buf + pos, bufsz - pos,
+						"[%d]:\t\t%u\t", j,
+						station->tid[j].seq_number);
+				pos += scnprintf(buf + pos, bufsz - pos,
+						"%u\t\t%u\t\t%u\t\t",
 						station->tid[j].agg.txq_id,
 						station->tid[j].agg.frame_count,
 						station->tid[j].agg.wait_for_ba);
-				pos += sprintf(buf+pos, "%u\t%llu\t%u\n",
+				pos += scnprintf(buf + pos, bufsz - pos,
+						"%u\t%llu\t%u\n",
 						station->tid[j].agg.start_idx,
 						(unsigned long long)station->tid[j].agg.bitmap,
 						station->tid[j].agg.rate_n_flags);
 			}
-			pos += sprintf(buf+pos, "\n");
+			pos += scnprintf(buf + pos, bufsz - pos, "\n");
 		}
 	}