wlcore: Fix buffer overrun by snprintf due to incorrect buffer size

[ Upstream commit a9a4c080deb33f44e08afe35f4ca4bb9ece89f4e ]

The size of the buffer than can be written to is currently incorrect, it is
always the size of the entire buffer even though the snprintf is writing
as position pos into the buffer. Fix this by setting the buffer size to be
the number of bytes left in the buffer, namely sizeof(buf) - pos.

Addresses-Coverity: ("Out-of-bounds access")
Fixes: 7b0e2c4f6be3 ("wlcore: fix overlapping snprintf arguments in debugfs")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210419141405.180582-1-colin.king@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/ti/wlcore/debugfs.h b/drivers/net/wireless/ti/wlcore/debugfs.h
index 715edfa5f89f27bc4befc503ecf02f3ebb7c65d0..a9e13e6d65c508ab2f31fcf3c796ebd13e5d64be 100644 (file)
--- a/drivers/net/wireless/ti/wlcore/debugfs.h
+++ b/drivers/net/wireless/ti/wlcore/debugfs.h
@@ -84,7 +84,7 @@ static ssize_t sub## _ ##name## _read(struct file *file,              \
        wl1271_debugfs_update_stats(wl);                                \
                                                                        \
        for (i = 0; i < len && pos < sizeof(buf); i++)                  \
-               pos += snprintf(buf + pos, sizeof(buf),                 \
+               pos += snprintf(buf + pos, sizeof(buf) - pos,           \
                         "[%d] = %d\n", i, stats->sub.name[i]);         \
                                                                        \
        return wl1271_format_buffer(userbuf, count, ppos, "%s", buf);   \