[PATCH 122/342] Staging: rt2860: Don't call sprintf() with overlapping input and output.

Greg Kroah-Hartman gregkh at suse.de
Fri Jun 19 18:05:46 UTC 2009 

From: Anders Kaseorg <andersk at MIT.EDU>

The use of sprintf() to append to a buffer, as in
  sprintf(buf, "%sEntry: %d\n", buf, i)
is not valid according to C99 ("If copying takes place between objects
that overlap, the behavior is undefined.").  It breaks at least in
userspace under gcc -D_FORTIFY_SOURCE.  Replace this construct with
  sprintf(buf + strlen(buf), "Entry: %d\n", i)

This patch was automatically generated using
  perl -0pe 's/(sprintf\s*\(\s*([^,]*))(\s*,\s*")%s((?:[^"\\]|\\.)*"\s*,)\s*\2\s*,/$1 + strlen($2)$3$4/g'
  perl -0pe 's/(snprintf\s*\(\s*([^,]*))(\s*,[^,]*?)(\s*,\s*")%s((?:[^"\\]|\\.)*"\s*,)\s*\2\s*,/$1 + strlen($2)$3 - strlen($2)$4$5/g'

Signed-off-by: Anders Kaseorg <andersk at mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh at suse.de>
---
 drivers/staging/rt2860/common/cmm_info.c |    2 +-
 drivers/staging/rt2860/sta/assoc.c       |    2 +-
 drivers/staging/rt2860/sta_ioctl.c       |   11 +++++------
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/drivers/staging/rt2860/common/cmm_info.c b/drivers/staging/rt2860/common/cmm_info.c
index c3e1319..9e7efb0 100644
--- a/drivers/staging/rt2860/common/cmm_info.c
+++ b/drivers/staging/rt2860/common/cmm_info.c
@@ -2911,7 +2911,7 @@ INT RTMPShowCfgValue(
 	{
 		sprintf(pBuf, "\n");
 		for (PRTMP_PRIVATE_STA_SHOW_CFG_VALUE_PROC = RTMP_PRIVATE_STA_SHOW_CFG_VALUE_PROC; PRTMP_PRIVATE_STA_SHOW_CFG_VALUE_PROC->name; PRTMP_PRIVATE_STA_SHOW_CFG_VALUE_PROC++)
-			sprintf(pBuf, "%s%s\n", pBuf, PRTMP_PRIVATE_STA_SHOW_CFG_VALUE_PROC->name);
+			sprintf(pBuf + strlen(pBuf), "%s\n", PRTMP_PRIVATE_STA_SHOW_CFG_VALUE_PROC->name);
 	}
 
 	return Status;
diff --git a/drivers/staging/rt2860/sta/assoc.c b/drivers/staging/rt2860/sta/assoc.c
index 34f1c14..99c2aed 100644
--- a/drivers/staging/rt2860/sta/assoc.c
+++ b/drivers/staging/rt2860/sta/assoc.c
@@ -1791,7 +1791,7 @@ int wext_notify_event_assoc(
         wrqu.data.length = (pAd->StaCfg.ReqVarIELen*2) + 17;
         sprintf(custom, "ASSOCINFO(ReqIEs=");
         for (idx=0; idx<pAd->StaCfg.ReqVarIELen; idx++)
-                sprintf(custom, "%s%02x", custom, pAd->StaCfg.ReqVarIEs[idx]);
+                sprintf(custom + strlen(custom), "%02x", pAd->StaCfg.ReqVarIEs[idx]);
         wireless_send_event(pAd->net_dev, IWEVCUSTOM, &wrqu, custom);
     }
     else
diff --git a/drivers/staging/rt2860/sta_ioctl.c b/drivers/staging/rt2860/sta_ioctl.c
index c5452f1..56c22a6 100644
--- a/drivers/staging/rt2860/sta_ioctl.c
+++ b/drivers/staging/rt2860/sta_ioctl.c
@@ -1360,7 +1360,7 @@ int rt_ioctl_giwscan(struct net_device *dev,
             iwe.u.data.length = (pAdapter->ScanTab.BssEntry[i].WpaIE.IELen * 2) + 7;
             NdisMoveMemory(custom, "wpa_ie=", 7);
             for (idx = 0; idx < pAdapter->ScanTab.BssEntry[i].WpaIE.IELen; idx++)
-                sprintf(custom, "%s%02x", custom, pAdapter->ScanTab.BssEntry[i].WpaIE.IE[idx]);
+                sprintf(custom + strlen(custom), "%02x", pAdapter->ScanTab.BssEntry[i].WpaIE.IE[idx]);
             previous_ev = current_ev;
     		current_ev = IWE_STREAM_ADD_POINT(info, current_ev, end_buf, &iwe,  custom);
             if (current_ev == previous_ev)
@@ -1380,7 +1380,7 @@ int rt_ioctl_giwscan(struct net_device *dev,
             iwe.u.data.length = (pAdapter->ScanTab.BssEntry[i].RsnIE.IELen * 2) + 7;
             NdisMoveMemory(custom, "rsn_ie=", 7);
 			for (idx = 0; idx < pAdapter->ScanTab.BssEntry[i].RsnIE.IELen; idx++)
-                sprintf(custom, "%s%02x", custom, pAdapter->ScanTab.BssEntry[i].RsnIE.IE[idx]);
+                sprintf(custom + strlen(custom), "%02x", pAdapter->ScanTab.BssEntry[i].RsnIE.IE[idx]);
             previous_ev = current_ev;
     		current_ev = IWE_STREAM_ADD_POINT(info, current_ev, end_buf, &iwe,  custom);
             if (current_ev == previous_ev)
@@ -2022,8 +2022,7 @@ void	getBaInfo(
 		if (((pEntry->ValidAsCLI || pEntry->ValidAsApCli) && (pEntry->Sst == SST_ASSOC))
 			|| (pEntry->ValidAsWDS) || (pEntry->ValidAsMesh))
 		{
-			sprintf(pOutBuf, "%s\n%02X:%02X:%02X:%02X:%02X:%02X (Aid = %d) (AP) -\n",
-                pOutBuf,
+			sprintf(pOutBuf + strlen(pOutBuf), "\n%02X:%02X:%02X:%02X:%02X:%02X (Aid = %d) (AP) -\n",
 				pEntry->Addr[0], pEntry->Addr[1], pEntry->Addr[2],
 				pEntry->Addr[3], pEntry->Addr[4], pEntry->Addr[5], pEntry->Aid);
 
@@ -2033,7 +2032,7 @@ void	getBaInfo(
 				if (pEntry->BARecWcidArray[j] != 0)
 				{
 					pRecBAEntry =&pAd->BATable.BARecEntry[pEntry->BARecWcidArray[j]];
-					sprintf(pOutBuf, "%sTID=%d, BAWinSize=%d, LastIndSeq=%d, ReorderingPkts=%d\n", pOutBuf, j, pRecBAEntry->BAWinSize, pRecBAEntry->LastIndSeq, pRecBAEntry->list.qlen);
+					sprintf(pOutBuf + strlen(pOutBuf), "TID=%d, BAWinSize=%d, LastIndSeq=%d, ReorderingPkts=%d\n", j, pRecBAEntry->BAWinSize, pRecBAEntry->LastIndSeq, pRecBAEntry->list.qlen);
 				}
 			}
 			sprintf(pOutBuf, "%s\n", pOutBuf);
@@ -2044,7 +2043,7 @@ void	getBaInfo(
 				if (pEntry->BAOriWcidArray[j] != 0)
 				{
 					pOriBAEntry =&pAd->BATable.BAOriEntry[pEntry->BAOriWcidArray[j]];
-					sprintf(pOutBuf, "%sTID=%d, BAWinSize=%d, StartSeq=%d, CurTxSeq=%d\n", pOutBuf, j, pOriBAEntry->BAWinSize, pOriBAEntry->Sequence, pEntry->TxSeq[j]);
+					sprintf(pOutBuf + strlen(pOutBuf), "TID=%d, BAWinSize=%d, StartSeq=%d, CurTxSeq=%d\n", j, pOriBAEntry->BAWinSize, pOriBAEntry->Sequence, pEntry->TxSeq[j]);
 				}
 			}
 			sprintf(pOutBuf, "%s\n\n", pOutBuf);
-- 
1.6.3.2

More information about the devel mailing list