[PATCH v2 1/3] staging: rtl8723bs: core: Replace sprintf with scnprintf
Candy Febriyanto
cfebriyanto at gmail.com
Mon Mar 1 14:58:17 UTC 2021
The use of sprintf with format string here means that there is a risk
that the writes will go out of bounds, replace it with scnprintf.
In on_action_public_default the variable "cnt" isn't being used for
anything meaningful so remove it.
Signed-off-by: Candy Febriyanto <cfebriyanto at gmail.com>
Reviewed-by: Hans de Goede <hdegoede at redhat.com>
---
drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +--
drivers/staging/rtl8723bs/core/rtw_pwrctrl.c | 4 ++--
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index fa4b0259c5ae..3443a5764c50 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2084,7 +2084,6 @@ static unsigned int on_action_public_default(union recv_frame *precv_frame, u8 a
u8 *frame_body = pframe + sizeof(struct ieee80211_hdr_3addr);
u8 token;
struct adapter *adapter = precv_frame->u.hdr.adapter;
- int cnt = 0;
char msg[64];
token = frame_body[2];
@@ -2092,7 +2091,7 @@ static unsigned int on_action_public_default(union recv_frame *precv_frame, u8 a
if (rtw_action_public_decache(precv_frame, token) == _FAIL)
goto exit;
- cnt += sprintf((msg+cnt), "%s(token:%u)", action_public_str(action), token);
+ scnprintf(msg, sizeof(msg), "%s(token:%u)", action_public_str(action), token);
rtw_cfg80211_rx_action(adapter, pframe, frame_len, msg);
ret = _SUCCESS;
diff --git a/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c b/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c
index 5b05d1eaa328..c9f4a18b24b9 100644
--- a/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c
+++ b/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c
@@ -554,7 +554,7 @@ void LPS_Enter(struct adapter *padapter, const char *msg)
/* Idle for a while if we connect to AP a while ago. */
if (pwrpriv->LpsIdleCount >= 2) { /* 4 Sec */
if (pwrpriv->pwr_mode == PS_MODE_ACTIVE) {
- sprintf(buf, "WIFI-%s", msg);
+ scnprintf(buf, sizeof(buf), "WIFI-%s", msg);
pwrpriv->bpower_saving = true;
rtw_set_ps_mode(padapter, pwrpriv->power_mgnt, padapter->registrypriv.smart_ps, 0, buf);
}
@@ -584,7 +584,7 @@ void LPS_Leave(struct adapter *padapter, const char *msg)
if (pwrpriv->bLeisurePs) {
if (pwrpriv->pwr_mode != PS_MODE_ACTIVE) {
- sprintf(buf, "WIFI-%s", msg);
+ scnprintf(buf, sizeof(buf), "WIFI-%s", msg);
rtw_set_ps_mode(padapter, PS_MODE_ACTIVE, 0, 0, buf);
if (pwrpriv->pwr_mode == PS_MODE_ACTIVE)
--
2.30.1
More information about the devel
mailing list