scsi: be2iscsi: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the actual
output size, the succeeding calls may go beyond the given buffer limit.
Fix it by replacing with scnprintf().

Link: https://lore.kernel.org/r/20200315094241.9086-3-tiwai@suse.de
Cc: "James E . J . Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K . Petersen" <martin.petersen@oracle.com>
Cc: Subbu Seetharaman <subbu.seetharaman@broadcom.com>
Cc: Ketan Mukadam <ketan.mukadam@broadcom.com>
Cc: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
Cc: linux-scsi@vger.kernel.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c
index d4febaa..a2d69b2 100644 (file)
--- a/drivers/scsi/be2iscsi/be_mgmt.c
+++ b/drivers/scsi/be2iscsi/be_mgmt.c
@@ -1178,12 +1178,12 @@ beiscsi_active_session_disp(struct device *dev, struct device_attribute *attr,
                if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported)) {
                        avlbl_cids = BEISCSI_ULP_AVLBL_CID(phba, ulp_num);
                        total_cids = BEISCSI_GET_CID_COUNT(phba, ulp_num);
-                       len += snprintf(buf+len, PAGE_SIZE - len,
-                                       "ULP%d : %d\n", ulp_num,
-                                       (total_cids - avlbl_cids));
+                       len += scnprintf(buf+len, PAGE_SIZE - len,
+                                        "ULP%d : %d\n", ulp_num,
+                                        (total_cids - avlbl_cids));
                } else
-                       len += snprintf(buf+len, PAGE_SIZE - len,
-                                       "ULP%d : %d\n", ulp_num, 0);
+                       len += scnprintf(buf+len, PAGE_SIZE - len,
+                                        "ULP%d : %d\n", ulp_num, 0);
        }
 
        return len;
@@ -1208,12 +1208,12 @@ beiscsi_free_session_disp(struct device *dev, struct device_attribute *attr,
 
        for (ulp_num = 0; ulp_num < BEISCSI_ULP_COUNT; ulp_num++) {
                if (test_bit(ulp_num, (void *)&phba->fw_config.ulp_supported))
-                       len += snprintf(buf+len, PAGE_SIZE - len,
-                                       "ULP%d : %d\n", ulp_num,
-                                       BEISCSI_ULP_AVLBL_CID(phba, ulp_num));
+                       len += scnprintf(buf+len, PAGE_SIZE - len,
+                                        "ULP%d : %d\n", ulp_num,
+                                        BEISCSI_ULP_AVLBL_CID(phba, ulp_num));
                else
-                       len += snprintf(buf+len, PAGE_SIZE - len,
-                                       "ULP%d : %d\n", ulp_num, 0);
+                       len += scnprintf(buf+len, PAGE_SIZE - len,
+                                        "ULP%d : %d\n", ulp_num, 0);
        }
 
        return len;