From: HariKrishna Sagala hariconscious@gmail.com
snprintf() returns the would-be-filled size when the string overflows the given buffer size, hence using this value may result in a buffer overflow (although it's unrealistic).
This patch replaces it with a safer version, scnprintf() for papering over such a potential issue. Link: https://github.com/KSPP/linux/issues/105 'Fixes: 5a565ba23abe ("ASoC: Intel: avs: Probing and firmware tracing over debugfs")'
Signed-off-by: HariKrishna Sagala hariconscious@gmail.com --- Thank you for the feedback and the suggestions. Corrected the indentation & commit message. V1: https://lore.kernel.org/all/20251112120235.54328-2-hariconscious@gmail.com/ sound/soc/intel/avs/debugfs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/sound/soc/intel/avs/debugfs.c b/sound/soc/intel/avs/debugfs.c index 3534de46f9e4..cdb82392b9ee 100644 --- a/sound/soc/intel/avs/debugfs.c +++ b/sound/soc/intel/avs/debugfs.c @@ -119,9 +119,9 @@ static ssize_t probe_points_read(struct file *file, char __user *to, size_t coun }
for (i = 0; i < num_desc; i++) { - ret = snprintf(buf + len, PAGE_SIZE - len, - "Id: %#010x Purpose: %d Node id: %#x\n", - desc[i].id.value, desc[i].purpose, desc[i].node_id.val); + ret = scnprintf(buf + len, PAGE_SIZE - len, + "Id: %#010x Purpose: %d Node id: %#x\n", + desc[i].id.value, desc[i].purpose, desc[i].node_id.val); if (ret < 0) goto free_desc; len += ret;
base-commit: 24172e0d79900908cf5ebf366600616d29c9b417