staging: dgap: fix overflows and format strings (1ea12fef) · Commits · e / devices / android_kernel_fairphone_FP4

drivers/staging/dgap/dgap_driver.c

+10 −7

Original line number	Diff line number	Diff line
		@@ -474,7 +474,7 @@ static void dgap_cleanup_board(struct board_t *brd)

		DGAP_LOCK(dgap_global_lock, flags);
		brd->msgbuf = NULL;
		printk(brd->msgbuf_head);
		printk("%s", brd->msgbuf_head);
		kfree(brd->msgbuf_head);
		brd->msgbuf_head = NULL;
		DGAP_UNLOCK(dgap_global_lock, flags);
		@@ -628,7 +628,7 @@ static int dgap_found_board(struct pci_dev *pdev, int id)
		DPR_INIT(("dgap_scan(%d) - printing out the msgbuf\n", i));
		DGAP_LOCK(dgap_global_lock, flags);
		brd->msgbuf = NULL;
		printk(brd->msgbuf_head);
		printk("%s", brd->msgbuf_head);
		kfree(brd->msgbuf_head);
		brd->msgbuf_head = NULL;
		DGAP_UNLOCK(dgap_global_lock, flags);
		@@ -955,25 +955,28 @@ static void dgap_mbuf(struct board_t brd, const char fmt, ...) {
		char buf[1024];
		int i;
		unsigned long flags;
		size_t length;

		DGAP_LOCK(dgap_global_lock, flags);

		/* Format buf using fmt and arguments contained in ap. */
		va_start(ap, fmt);
		i = vsprintf(buf, fmt, ap);
		i = vsnprintf(buf, sizeof(buf), fmt, ap);
		va_end(ap);

		DPR((buf));

		if (!brd \|\| !brd->msgbuf) {
		printk(buf);
		printk("%s", buf);
		DGAP_UNLOCK(dgap_global_lock, flags);
		return;
		}

		memcpy(brd->msgbuf, buf, strlen(buf));
		brd->msgbuf += strlen(buf);
		*brd->msgbuf = 0;
		length = strlen(buf) + 1;
		if (brd->msgbuf - brd->msgbuf_head < length)
		length = brd->msgbuf - brd->msgbuf_head;
		memcpy(brd->msgbuf, buf, length);
		brd->msgbuf += length;

		DGAP_UNLOCK(dgap_global_lock, flags);
		}