> We currently have a few product names that exceed the old limit, and > this is triggering an SSP check in pci_devinfo(). This commit doesn't > directly address the SSP issue, but pushes the can down the road...
i think you're right that the 'cp' manipulation is the problem. snprintf() will return the "desired" size, so upon the first attempted overflow the 'cp' is moved beyond 'ep', and then the next snprintf() gets a negative aka extremely massive value for the buffer length and actual overflow happens here, and ssp detects it. the fix would be to change this: cp += snprintf(cp, ep - cp, ...); into this: len = snprintf(cp, ep - cp, ...); if (len > ep - cp) return; cp += len; which is annoying because there are a lot of the former. .mrg.