ACPI: fan: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Also adjust the argument to really match with the actually remaining
buffer size.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>

diff --git a/drivers/acpi/fan.c b/drivers/acpi/fan.c
index aaf4e8f..873e039 100644 (file)
--- a/drivers/acpi/fan.c
+++ b/drivers/acpi/fan.c
@@ -276,29 +276,29 @@ static ssize_t show_state(struct device *dev, struct device_attribute *attr, cha
        int count;
 
        if (fps->control == 0xFFFFFFFF || fps->control > 100)
-               count = snprintf(buf, PAGE_SIZE, "not-defined:");
+               count = scnprintf(buf, PAGE_SIZE, "not-defined:");
        else
-               count = snprintf(buf, PAGE_SIZE, "%lld:", fps->control);
+               count = scnprintf(buf, PAGE_SIZE, "%lld:", fps->control);
 
        if (fps->trip_point == 0xFFFFFFFF || fps->trip_point > 9)
-               count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
        else
-               count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->trip_point);
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->trip_point);
 
        if (fps->speed == 0xFFFFFFFF)
-               count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
        else
-               count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->speed);
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->speed);
 
        if (fps->noise_level == 0xFFFFFFFF)
-               count += snprintf(&buf[count], PAGE_SIZE, "not-defined:");
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined:");
        else
-               count += snprintf(&buf[count], PAGE_SIZE, "%lld:", fps->noise_level * 100);
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld:", fps->noise_level * 100);
 
        if (fps->power == 0xFFFFFFFF)
-               count += snprintf(&buf[count], PAGE_SIZE, "not-defined\n");
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "not-defined\n");
        else
-               count += snprintf(&buf[count], PAGE_SIZE, "%lld\n", fps->power);
+               count += scnprintf(&buf[count], PAGE_SIZE - count, "%lld\n", fps->power);
 
        return count;
 }