fscache: fix fscache_objlist_show format processing
authorArnd Bergmann <arnd@arndb.de>
Wed, 13 Sep 2017 23:28:23 +0000 (16:28 -0700)
committerLinus Torvalds <torvalds@linux-foundation.org>
Thu, 14 Sep 2017 01:53:15 +0000 (18:53 -0700)
gcc points out a minor bug in the handling of unknown cookie types,
which could result in a string overflow when the integer is copied into
a 3-byte string:

  fs/fscache/object-list.c: In function 'fscache_objlist_show':
  fs/fscache/object-list.c:265:19: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=]
   sprintf(_type, "%02u", cookie->def->type);
                  ^~~~~~
  fs/fscache/object-list.c:265:4: note: 'sprintf' output between 3 and 4 bytes into a destination of size 3

This is currently harmless as no code sets a type other than 0 or 1, but
it makes sense to use snprintf() here to avoid overflowing the array if
that changes.

Link: http://lkml.kernel.org/r/20170714120720.906842-22-arnd@arndb.de
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/fscache/object-list.c

index 67f940892ef810dca6710a7f7c14dc2acd9b2619..b5ab06fabc60a3bd0a7a308f45e4cb5b850398c1 100644 (file)
@@ -262,7 +262,8 @@ static int fscache_objlist_show(struct seq_file *m, void *v)
                        type = "DT";
                        break;
                default:
-                       sprintf(_type, "%02u", cookie->def->type);
+                       snprintf(_type, sizeof(_type), "%02u",
+                                cookie->def->type);
                        type = _type;
                        break;
                }