From nobody Fri Dec 19 05:42:23 2025
Return-Path: <linux-kernel-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2B40BC19774
	for <linux-kernel@archiver.kernel.org>; Wed, 13 Dec 2023 16:43:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1379387AbjLMQn3 (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 13 Dec 2023 11:43:29 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55976 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S235378AbjLMQnI (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 13 Dec 2023 11:43:08 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6868BF3
        for <linux-kernel@vger.kernel.org>;
 Wed, 13 Dec 2023 08:43:13 -0800 (PST)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id D53F6C433CA;
        Wed, 13 Dec 2023 16:43:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1702485793;
        bh=Xx02t9tpORoHITkBD1x5P/vBMElFrxoGnWnTgr1OD4o=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=EutNB+zNKO4N/VpzUrYjbCv+FL+7uqhHDzbhfhdf6kUFBBoU5zCuXwircAdOnN7N2
         F20tPDI/AsLUekafvAm+A9k9bs97hk0Pixjq6liQaUVHRlvCPCLnvOWT16e31KTXku
         fR/Kus4TFXB95ldUvG2CW9kh8lu9/klGDgsXea8v9vt9WiaSvSDq6t6C6yt5kO8v0p
         7qtPahEkz8yk9Q88FAuc3o7gIUTYrDTW82I+FTRbWNJ1gD8tUSKuKeA+5xOiJIpi3Y
         S4wEsePZQrGp4Rwj9YHpWQbbS52vKg8vIFzgXX+VdthuUy5A9xqJIAQkMRF6+jrRBo
         vmK+bIWyD6TXg==
From: Lee Jones <lee@kernel.org>
To: lee@kernel.org, gregkh@linuxfoundation.org
Cc: linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org,
        Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Subject: [PATCH 08/12] usb: yurex: Replace snprintf() with the safer
 scnprintf() variant
Date: Wed, 13 Dec 2023 16:42:37 +0000
Message-ID: <20231213164246.1021885-9-lee@kernel.org>
X-Mailer: git-send-email 2.43.0.472.g3155946c3a-goog
In-Reply-To: <20231213164246.1021885-1-lee@kernel.org>
References: <20231213164246.1021885-1-lee@kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="utf-8"

There is a general misunderstanding amongst engineers that {v}snprintf()
returns the length of the data *actually* encoded into the destination
array.  However, as per the C99 standard {v}snprintf() really returns
the length of the data that *would have been* written if there were
enough space for it.  This misunderstanding has led to buffer-overruns
in the past.  It's generally considered safer to use the {v}scnprintf()
variants in their place (or even sprintf() in simple cases).  So let's
do that.

Whilst we're at it, let's define some magic numbers to increase
readability and ease of maintenance.

Link: https://lwn.net/Articles/69419/
Link: https://github.com/KSPP/linux/issues/105
Cc: Tomoki Sekiyama <tomoki.sekiyama@gmail.com>
Signed-off-by: Lee Jones <lee@kernel.org>
---
 drivers/usb/misc/yurex.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/drivers/usb/misc/yurex.c b/drivers/usb/misc/yurex.c
index c640f98d20c54..5a13cddace0e6 100644
--- a/drivers/usb/misc/yurex.c
+++ b/drivers/usb/misc/yurex.c
@@ -34,6 +34,8 @@
 #define YUREX_BUF_SIZE		8
 #define YUREX_WRITE_TIMEOUT	(HZ*2)
=20
+#define MAX_S64_STRLEN 20 /* {-}922337203685477580{7,8} */
+
 /* table of devices that work with this driver */
 static struct usb_device_id yurex_table[] =3D {
 	{ USB_DEVICE(YUREX_VENDOR_ID, YUREX_PRODUCT_ID) },
@@ -401,7 +403,7 @@ static ssize_t yurex_read(struct file *file, char __use=
r *buffer, size_t count,
 {
 	struct usb_yurex *dev;
 	int len =3D 0;
-	char in_buffer[20];
+	char in_buffer[MAX_S64_STRLEN];
 	unsigned long flags;
=20
 	dev =3D file->private_data;
@@ -412,14 +414,14 @@ static ssize_t yurex_read(struct file *file, char __u=
ser *buffer, size_t count,
 		return -ENODEV;
 	}
=20
+	if (WARN_ON_ONCE(dev->bbu > S64_MAX || dev->bbu < S64_MIN))
+		return -EIO;
+
 	spin_lock_irqsave(&dev->lock, flags);
-	len =3D snprintf(in_buffer, 20, "%lld\n", dev->bbu);
+	scnprintf(in_buffer, MAX_S64_STRLEN, "%lld\n", dev->bbu);
 	spin_unlock_irqrestore(&dev->lock, flags);
 	mutex_unlock(&dev->io_mutex);
=20
-	if (WARN_ON_ONCE(len >=3D sizeof(in_buffer)))
-		return -EIO;
-
 	return simple_read_from_buffer(buffer, count, ppos, in_buffer, len);
 }
=20
--=20
2.43.0.472.g3155946c3a-goog