1From 5b6641978e8fa68bca05d224a61f8513b010eda8 Mon Sep 17 00:00:00 2001 2From: Coleman <omegacoleman@gmail.com> 3Date: Fri, 17 Jul 2020 08:53:00 +0800 4Subject: [PATCH] Fix using sprintf for extending string, which causes 5 undefined behavior 6 7[Upstream: https://github.com/abperiasamy/rtl8812AU_8821AU_linux/commit/be57045a0933d64e958878696883e9cf998e1bf3.patch] 8Signed-off-by: Coleman <omegacoleman@gmail.com> 9Signed-off-by: Christian Stewart <christian@paral.in> 10--- 11 core/rtw_mp.c | 2 +- 12 os_dep/linux/ioctl_linux.c | 108 ++++++++++++++++++------------------- 13 2 files changed, 55 insertions(+), 55 deletions(-) 14 15diff --git a/core/rtw_mp.c b/core/rtw_mp.c 16index c2e400d..989bb3e 100644 17--- a/core/rtw_mp.c 18+++ b/core/rtw_mp.c 19@@ -1871,7 +1871,7 @@ u32 mp_query_psd(PADAPTER pAdapter, u8 *data) 20 } else { 21 psd_data = rtw_GetPSDData(pAdapter, i); 22 } 23- sprintf(data, "%s%x ", data, psd_data); 24+ sprintf(data + strlen(data), "%x ", psd_data); 25 i++; 26 } 27 28diff --git a/os_dep/linux/ioctl_linux.c b/os_dep/linux/ioctl_linux.c 29index c74a153..9543fa3 100644 30--- a/os_dep/linux/ioctl_linux.c 31+++ b/os_dep/linux/ioctl_linux.c 32@@ -9080,19 +9080,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 33 sprintf(extra, "\n"); 34 for (i = 0; i < EFUSE_MAP_SIZE; i += 16) { 35 // DBG_871X("0x%02x\t", i); 36- sprintf(extra, "%s0x%02x\t", extra, i); 37+ sprintf(extra + strlen(extra), "0x%02x\t", i); 38 for (j=0; j<8; j++) { 39 // DBG_871X("%02X ", data[i+j]); 40- sprintf(extra, "%s%02X ", extra, PROMContent[i+j]); 41+ sprintf(extra + strlen(extra), "%02X ", PROMContent[i+j]); 42 } 43 // DBG_871X("\t"); 44- sprintf(extra, "%s\t", extra); 45+ sprintf(extra + strlen(extra), "\t"); 46 for (; j<16; j++) { 47 // DBG_871X("%02X ", data[i+j]); 48- sprintf(extra, "%s%02X ", extra, PROMContent[i+j]); 49+ sprintf(extra + strlen(extra), "%02X ", PROMContent[i+j]); 50 } 51 // DBG_871X("\n"); 52- sprintf(extra,"%s\n",extra); 53+ sprintf(extra + strlen(extra), "\n"); 54 } 55 // DBG_871X("\n"); 56 } else if (strcmp(tmp[0], "realmap") == 0) { 57@@ -9107,19 +9107,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 58 sprintf(extra, "\n"); 59 for (i = 0; i < EFUSE_MAP_SIZE; i += 16) { 60 // DBG_871X("0x%02x\t", i); 61- sprintf(extra, "%s0x%02x\t", extra, i); 62+ sprintf(extra + strlen(extra), "0x%02x\t", i); 63 for (j=0; j<8; j++) { 64 // DBG_871X("%02X ", data[i+j]); 65- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseInitMap[i+j]); 66+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseInitMap[i+j]); 67 } 68 // DBG_871X("\t"); 69- sprintf(extra, "%s\t", extra); 70+ sprintf(extra + strlen(extra), "\t"); 71 for (; j<16; j++) { 72 // DBG_871X("%02X ", data[i+j]); 73- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseInitMap[i+j]); 74+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseInitMap[i+j]); 75 } 76 // DBG_871X("\n"); 77- sprintf(extra,"%s\n",extra); 78+ sprintf(extra + strlen(extra), "\n"); 79 } 80 // DBG_871X("\n"); 81 } else if (strcmp(tmp[0], "rmap") == 0) { 82@@ -9158,7 +9158,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, 83 *extra = 0; 84 for (i=0; i<cnts; i++) { 85 // DBG_871X("0x%02x ", data[i]); 86- sprintf(extra, "%s0x%02X ", extra, data[i]); 87+ sprintf(extra + strlen(extra), "0x%02X ", data[i]); 88 } 89 // DBG_871X("}\n"); 90 } else if (strcmp(tmp[0], "realraw") == 0) { 91@@ -9174,17 +9174,17 @@ static int rtw_mp_efuse_get(struct net_device *dev, 92 sprintf(extra, "\n0x00\t"); 93 for (i=0; i< mapLen; i++) { 94 // DBG_871X("%02X", rawdata[i]); 95- sprintf(extra, "%s%02X", extra, rawdata[i]); 96+ sprintf(extra + strlen(extra), "%02X", rawdata[i]); 97 if ((i & 0xF) == 0xF) { 98 // DBG_871X("\n"); 99- sprintf(extra, "%s\n", extra); 100- sprintf(extra, "%s0x%02x\t", extra, i+1); 101+ sprintf(extra + strlen(extra), "\n"); 102+ sprintf(extra + strlen(extra), "0x%02x\t", i+1); 103 } else if ((i & 0x7) == 0x7) { 104 // DBG_871X("\t"); 105- sprintf(extra, "%s \t", extra); 106+ sprintf(extra + strlen(extra), " \t"); 107 } else { 108 // DBG_871X(" "); 109- sprintf(extra, "%s ", extra); 110+ sprintf(extra + strlen(extra), " "); 111 } 112 } 113 // DBG_871X("}\n"); 114@@ -9269,10 +9269,10 @@ static int rtw_mp_efuse_get(struct net_device *dev, 115 *extra = 0; 116 for (i=0; i<cnts; i++) { 117 // DBG_871X("%02X", data[i]); 118- sprintf(extra, "%s%02X", extra, data[i]); 119+ sprintf(extra + strlen(extra), "%02X", data[i]); 120 if (i != (cnts-1)) { 121 // DBG_871X(":"); 122- sprintf(extra,"%s:",extra); 123+ sprintf(extra + strlen(extra), ":"); 124 } 125 } 126 // DBG_871X("}\n"); 127@@ -9330,10 +9330,10 @@ static int rtw_mp_efuse_get(struct net_device *dev, 128 *extra = 0; 129 for (i=0; i<cnts; i++) { 130 // DBG_871X("0x%02x", data[i]); 131- sprintf(extra, "%s0x%02X", extra, data[i]); 132+ sprintf(extra + strlen(extra), "0x%02X", data[i]); 133 if (i != (cnts-1)) { 134 // DBG_871X(","); 135- sprintf(extra,"%s,",extra); 136+ sprintf(extra + strlen(extra), ","); 137 } 138 } 139 // DBG_871X("}\n"); 140@@ -9355,19 +9355,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 141 sprintf(extra, "\n"); 142 for (i=0; i<512; i+=16) { // set 512 because the iwpriv's extra size have limit 0x7FF 143 // DBG_871X("0x%03x\t", i); 144- sprintf(extra, "%s0x%03x\t", extra, i); 145+ sprintf(extra + strlen(extra), "0x%03x\t", i); 146 for (j=0; j<8; j++) { 147 // DBG_871X("%02X ", pEfuseHal->BTEfuseInitMap[i+j]); 148- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); 149+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); 150 } 151 // DBG_871X("\t"); 152- sprintf(extra,"%s\t",extra); 153+ sprintf(extra + strlen(extra), "\t"); 154 for (; j<16; j++) { 155 // DBG_871X("%02X ", pEfuseHal->BTEfuseInitMap[i+j]); 156- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); 157+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); 158 } 159 // DBG_871X("\n"); 160- sprintf(extra, "%s\n", extra); 161+ sprintf(extra + strlen(extra), "\n"); 162 } 163 // DBG_871X("\n"); 164 } else if (strcmp(tmp[0],"btbmap") == 0) { 165@@ -9384,19 +9384,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 166 sprintf(extra, "\n"); 167 for (i=512; i<1024 ; i+=16) { 168 // DBG_871X("0x%03x\t", i); 169- sprintf(extra, "%s0x%03x\t", extra, i); 170+ sprintf(extra + strlen(extra), "0x%03x\t", i); 171 for (j=0; j<8; j++) { 172 // DBG_871X("%02X ", data[i+j]); 173- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); 174+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); 175 } 176 // DBG_871X("\t"); 177- sprintf(extra,"%s\t",extra); 178+ sprintf(extra + strlen(extra), "\t"); 179 for (; j<16; j++) { 180 // DBG_871X("%02X ", data[i+j]); 181- sprintf(extra, "%s%02X ", extra, pEfuseHal->BTEfuseInitMap[i+j]); 182+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->BTEfuseInitMap[i+j]); 183 } 184 // DBG_871X("\n"); 185- sprintf(extra, "%s\n", extra); 186+ sprintf(extra + strlen(extra), "\n"); 187 } 188 // DBG_871X("\n"); 189 } else if (strcmp(tmp[0],"btrmap") == 0) { 190@@ -9436,7 +9436,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, 191 // DBG_871X("%s: bt efuse data={", __FUNCTION__); 192 for (i=0; i<cnts; i++) { 193 // DBG_871X("0x%02x ", data[i]); 194- sprintf(extra, "%s 0x%02X ", extra, data[i]); 195+ sprintf(extra + strlen(extra), " 0x%02X ", data[i]); 196 } 197 // DBG_871X("}\n"); 198 DBG_871X(FUNC_ADPT_FMT ": BT MAC=[%s]\n", FUNC_ADPT_ARG(padapter), extra); 199@@ -9445,19 +9445,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 200 sprintf(extra, "\n"); 201 for (i=0; i<512; i+=16) { 202 // DBG_871X("0x%03x\t", i); 203- sprintf(extra, "%s0x%03x\t", extra, i); 204+ sprintf(extra + strlen(extra), "0x%03x\t", i); 205 for (j=0; j<8; j++) { 206 // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 207- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 208+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 209 } 210 // DBG_871X("\t"); 211- sprintf(extra, "%s\t", extra); 212+ sprintf(extra + strlen(extra), "\t"); 213 for (; j<16; j++) { 214 // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 215- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 216+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 217 } 218 // DBG_871X("\n"); 219- sprintf(extra, "%s\n", extra); 220+ sprintf(extra + strlen(extra), "\n"); 221 } 222 // DBG_871X("\n"); 223 } else if (strcmp(tmp[0],"btbfake") == 0) { 224@@ -9465,19 +9465,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 225 sprintf(extra, "\n"); 226 for (i=512; i<1024; i+=16) { 227 // DBG_871X("0x%03x\t", i); 228- sprintf(extra, "%s0x%03x\t", extra, i); 229+ sprintf(extra + strlen(extra), "0x%03x\t", i); 230 for (j=0; j<8; j++) { 231 // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 232- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 233+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 234 } 235 // DBG_871X("\t"); 236- sprintf(extra, "%s\t", extra); 237+ sprintf(extra + strlen(extra), "\t"); 238 for (; j<16; j++) { 239 // DBG_871X("%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 240- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 241+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeBTEfuseModifiedMap[i+j]); 242 } 243 // DBG_871X("\n"); 244- sprintf(extra, "%s\n", extra); 245+ sprintf(extra + strlen(extra), "\n"); 246 } 247 // DBG_871X("\n"); 248 } else if (strcmp(tmp[0],"wlrfkmap")== 0) { 249@@ -9485,19 +9485,19 @@ static int rtw_mp_efuse_get(struct net_device *dev, 250 sprintf(extra, "\n"); 251 for (i=0; i<EFUSE_MAP_SIZE; i+=16) { 252 // DBG_871X("\t0x%02x\t", i); 253- sprintf(extra, "%s0x%02x\t", extra, i); 254+ sprintf(extra + strlen(extra), "0x%02x\t", i); 255 for (j=0; j<8; j++) { 256 // DBG_871X("%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]); 257- sprintf(extra, "%s%02X ", extra, pEfuseHal->fakeEfuseModifiedMap[i+j]); 258+ sprintf(extra + strlen(extra), "%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]); 259 } 260 // DBG_871X("\t"); 261- sprintf(extra, "%s\t", extra); 262+ sprintf(extra + strlen(extra), "\t"); 263 for (; j<16; j++) { 264 // DBG_871X("%02X ", pEfuseHal->fakeEfuseModifiedMap[i+j]); 265- sprintf(extra, "%s %02X", extra, pEfuseHal->fakeEfuseModifiedMap[i+j]); 266+ sprintf(extra + strlen(extra), " %02X", pEfuseHal->fakeEfuseModifiedMap[i+j]); 267 } 268 // DBG_871X("\n"); 269- sprintf(extra, "%s\n", extra); 270+ sprintf(extra + strlen(extra), "\n"); 271 } 272 // DBG_871X("\n"); 273 274@@ -9523,7 +9523,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, 275 *extra = 0; 276 for (i=0; i<cnts; i++) { 277 DBG_871X("wlrfkrmap = 0x%02x \n", pEfuseHal->fakeEfuseModifiedMap[addr+i]); 278- sprintf(extra, "%s0x%02X ", extra, pEfuseHal->fakeEfuseModifiedMap[addr+i]); 279+ sprintf(extra + strlen(extra), "0x%02X ", pEfuseHal->fakeEfuseModifiedMap[addr+i]); 280 } 281 } else if (strcmp(tmp[0],"btrfkrmap")== 0) { 282 if ((tmp[1]==NULL) || (tmp[2]==NULL)) { 283@@ -9547,7 +9547,7 @@ static int rtw_mp_efuse_get(struct net_device *dev, 284 *extra = 0; 285 for (i=0; i<cnts; i++) { 286 DBG_871X("wlrfkrmap = 0x%02x \n", pEfuseHal->fakeBTEfuseModifiedMap[addr+i]); 287- sprintf(extra, "%s0x%02X ", extra, pEfuseHal->fakeBTEfuseModifiedMap[addr+i]); 288+ sprintf(extra + strlen(extra), "0x%02X ", pEfuseHal->fakeBTEfuseModifiedMap[addr+i]); 289 } 290 } else { 291 sprintf(extra, "Command not found!"); 292@@ -10409,7 +10409,7 @@ static int rtw_mp_read_reg(struct net_device *dev, 293 pnext++; 294 if ( *pnext != '\0' ) { 295 strtout = simple_strtoul (pnext , &ptmp, 16); 296- sprintf( extra, "%s %d" ,extra ,strtout ); 297+ sprintf(extra + strlen(extra), " %d" ,strtout ); 298 } else { 299 break; 300 } 301@@ -10443,7 +10443,7 @@ static int rtw_mp_read_reg(struct net_device *dev, 302 pnext++; 303 if ( *pnext != '\0' ) { 304 strtout = simple_strtoul (pnext , &ptmp, 16); 305- sprintf( extra, "%s %d" ,extra ,strtout ); 306+ sprintf(extra + strlen(extra), " %d" ,strtout ); 307 } else { 308 break; 309 } 310@@ -10566,7 +10566,7 @@ static int rtw_mp_read_rf(struct net_device *dev, 311 pnext++; 312 if ( *pnext != '\0' ) { 313 strtou = simple_strtoul (pnext , &ptmp, 16); 314- sprintf( extra, "%s %d" ,extra ,strtou ); 315+ sprintf(extra + strlen(extra), " %d" ,strtou ); 316 } else { 317 break; 318 } 319@@ -12155,14 +12155,14 @@ todo: 320 goto exit; 321 322 #ifdef CONFIG_RTL8723A 323- sprintf(extra, "%s %d ", extra, (pMptCtx->mptOutBuf[i]& 0x3f)); 324+ sprintf(extra + strlen(extra), " %d ", (pMptCtx->mptOutBuf[i]& 0x3f)); 325 #else 326- sprintf(extra, "%s %d ", extra, (pMptCtx->mptOutBuf[i]& 0x1f)); 327+ sprintf(extra + strlen(extra), " %d ", (pMptCtx->mptOutBuf[i]& 0x1f)); 328 #endif 329 } 330 } else { 331 for (i=4; i<pMptCtx->mptOutLen; i++) { 332- sprintf(extra, "%s 0x%x ", extra, pMptCtx->mptOutBuf[i]); 333+ sprintf(extra + strlen(extra), " 0x%x ", pMptCtx->mptOutBuf[i]); 334 } 335 } 336 337-- 3382.28.0 339 340