From: Lars-Peter Clausen <lars@metafoo.de>
Date: Tue, 5 Jun 2012 16:24:12 +0000 (+0200)
Subject: iio: iio_enum_available_read: Prevent possible buffer overflow
X-Git-Tag: next-20120724~21^2~898
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=74dcd439bf8c16b01f9f5a9dffb2b171ed94e2e5;p=karo-tx-linux.git

iio: iio_enum_available_read: Prevent possible buffer overflow

Use scnprint instead of snprintf, because snprintf returns the number of bytes
that would have been written to the buffer if there was enough space, and as a
result writing to buf[len-1] might cause a access beyond the buffers limits.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Acked-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
index 56a3c0bc996c..cf9ecd0ae7c9 100644
--- a/drivers/iio/industrialio-core.c
+++ b/drivers/iio/industrialio-core.c
@@ -300,7 +300,7 @@ ssize_t iio_enum_available_read(struct iio_dev *indio_dev,
 		return 0;
 
 	for (i = 0; i < e->num_items; ++i)
-		len += snprintf(buf + len, PAGE_SIZE - len, "%s ", e->items[i]);
+		len += scnprintf(buf + len, PAGE_SIZE - len, "%s ", e->items[i]);
 
 	/* replace last space with a newline */
 	buf[len - 1] = '\n';