mailbox: bcm-pdc: Use scnprintf() for avoiding potential buffer overflow

Since snprintf() returns the would-be-output size instead of the
actual output size, the succeeding calls may go beyond the given
buffer limit.  Fix it by replacing with scnprintf().

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jassi Brar <jaswinder.singh@linaro.org>

diff --git a/drivers/mailbox/bcm-pdc-mailbox.c b/drivers/mailbox/bcm-pdc-mailbox.c
index fcb3b18a0678e2c1994709e343aafacf8eded0b9..c10a9318a4b7082b1d1fdb37ee3313b571353ac4 100644 (file)
--- a/drivers/mailbox/bcm-pdc-mailbox.c
+++ b/drivers/mailbox/bcm-pdc-mailbox.c
@@ -436,33 +436,33 @@ static ssize_t pdc_debugfs_read(struct file *filp, char __user *ubuf,
 
        pdcs = filp->private_data;
        out_offset = 0;
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "SPU %u stats:\n", pdcs->pdc_idx);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "PDC requests....................%u\n",
                               pdcs->pdc_requests);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "PDC responses...................%u\n",
                               pdcs->pdc_replies);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Tx not done.....................%u\n",
                               pdcs->last_tx_not_done);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Tx ring full....................%u\n",
                               pdcs->tx_ring_full);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Rx ring full....................%u\n",
                               pdcs->rx_ring_full);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Tx desc write fail. Ring full...%u\n",
                               pdcs->txnobuf);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Rx desc write fail. Ring full...%u\n",
                               pdcs->rxnobuf);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Receive overflow................%u\n",
                               pdcs->rx_oflow);
-       out_offset += snprintf(buf + out_offset, out_count - out_offset,
+       out_offset += scnprintf(buf + out_offset, out_count - out_offset,
                               "Num frags in rx ring............%u\n",
                               NRXDACTIVE(pdcs->rxin, pdcs->last_rx_curr,
                                          pdcs->nrxpost));