[PATCH v2 1/3] staging: rtl8723bs: core: Replace sprintf with scnprintf

Mon, 01 Mar 2021 06:58:47 -0800 

The use of sprintf with format string here means that there is a risk
that the writes will go out of bounds, replace it with scnprintf.

In on_action_public_default the variable "cnt" isn't being used for
anything meaningful so remove it.

Signed-off-by: Candy Febriyanto <cfebriya...@gmail.com>
Reviewed-by: Hans de Goede <hdego...@redhat.com>
---
 drivers/staging/rtl8723bs/core/rtw_mlme_ext.c | 3 +--
 drivers/staging/rtl8723bs/core/rtw_pwrctrl.c  | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c 
b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
index fa4b0259c5ae..3443a5764c50 100644
--- a/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
+++ b/drivers/staging/rtl8723bs/core/rtw_mlme_ext.c
@@ -2084,7 +2084,6 @@ static unsigned int on_action_public_default(union 
recv_frame *precv_frame, u8 a
        u8 *frame_body = pframe + sizeof(struct ieee80211_hdr_3addr);
        u8 token;
        struct adapter *adapter = precv_frame->u.hdr.adapter;
-       int cnt = 0;
        char msg[64];
 
        token = frame_body[2];
@@ -2092,7 +2091,7 @@ static unsigned int on_action_public_default(union 
recv_frame *precv_frame, u8 a
        if (rtw_action_public_decache(precv_frame, token) == _FAIL)
                goto exit;
 
-       cnt += sprintf((msg+cnt), "%s(token:%u)", action_public_str(action), 
token);
+       scnprintf(msg, sizeof(msg), "%s(token:%u)", action_public_str(action), 
token);
        rtw_cfg80211_rx_action(adapter, pframe, frame_len, msg);
 
        ret = _SUCCESS;
diff --git a/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c 
b/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c
index 5b05d1eaa328..c9f4a18b24b9 100644
--- a/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c
+++ b/drivers/staging/rtl8723bs/core/rtw_pwrctrl.c
@@ -554,7 +554,7 @@ void LPS_Enter(struct adapter *padapter, const char *msg)
                /*  Idle for a while if we connect to AP a while ago. */
                if (pwrpriv->LpsIdleCount >= 2) { /*   4 Sec */
                        if (pwrpriv->pwr_mode == PS_MODE_ACTIVE) {
-                               sprintf(buf, "WIFI-%s", msg);
+                               scnprintf(buf, sizeof(buf), "WIFI-%s", msg);
                                pwrpriv->bpower_saving = true;
                                rtw_set_ps_mode(padapter, pwrpriv->power_mgnt, 
padapter->registrypriv.smart_ps, 0, buf);
                        }
@@ -584,7 +584,7 @@ void LPS_Leave(struct adapter *padapter, const char *msg)
 
        if (pwrpriv->bLeisurePs) {
                if (pwrpriv->pwr_mode != PS_MODE_ACTIVE) {
-                       sprintf(buf, "WIFI-%s", msg);
+                       scnprintf(buf, sizeof(buf), "WIFI-%s", msg);
                        rtw_set_ps_mode(padapter, PS_MODE_ACTIVE, 0, 0, buf);
 
                        if (pwrpriv->pwr_mode == PS_MODE_ACTIVE)
-- 
2.30.1

_______________________________________________
devel mailing list
de...@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel

Reply via email to