From: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Date: Wed, 21 Oct 2015 22:03:50 +0000 (+1100)
Subject: lib/vsprintf.c: also improve sanity check in bstr_printf()
X-Git-Tag: KARO-TX6UL-2015-11-03~14^2~61
X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=d906a3e6df33afea349579efde77f077922fef67;p=karo-tx-linux.git

lib/vsprintf.c: also improve sanity check in bstr_printf()

Quoting from 2aa2f9e21e4e ("lib/vsprintf.c: improve sanity check in
vsnprintf()"):

    On 64 bit, size may very well be huge even if bit 31 happens to be 0.
    Somehow it doesn't feel right that one can pass a 5 GiB buffer but not a
    3 GiB one.  So cap at INT_MAX as was probably the intention all along.
    This is also the made-up value passed by sprintf and vsprintf.

I should have seen this copy-pasted instance back then, but let's just
do it now.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Martin Kletzander <mkletzan@redhat.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index e35724c2b2a8..a513469e9399 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -2270,7 +2270,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
 	char *str, *end;
 	const char *args = (const char *)bin_buf;
 
-	if (WARN_ON_ONCE((int) size < 0))
+	if (WARN_ON_ONCE(size > INT_MAX))
 		return 0;
 
 	str = buf;