tcp: warn if offset reach the maxlen limit when using snprintf

snprintf returns the number of chars that would be written, not number of chars that were actually written. As such, 'offs' may get larger than 'tbl.maxlen', causing the 'tbl.maxlen - offs' being < 0, and since the parameter is size_t, it would overflow. Since using scnprintf may hide the limit error, while the buffer is still enough now, let's just add a WARN_ON_ONCE in case it reach the limit in future. v2: Use WARN_ON_ONCE as Jiri and Eric suggested. Suggested-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Hangbin Liu <liuhangbin@gmail.com> 2019-11-20 16:38:08 +0800
committer: David S. Miller <davem@davemloft.net> 2019-11-20 22:23:36 -0800
commit: 9bb59a21f53e7231696257d5e6283a4fbacfb43f (patch)
tree: 74a2d5c284838dca140388d71a7f226057aa9b36 /net/ipv4/tcp_cong.c
parent: c0d59da79534e85eb550d863e35eccc8c3fd8ceb (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/net/ipv4/tcp_cong.c b/net/ipv4/tcp_cong.c
index c445a81d144e..3737ec096650 100644
--- a/net/ipv4/tcp_cong.c
+++ b/net/ipv4/tcp_cong.c
@@ -256,6 +256,9 @@ void tcp_get_available_congestion_control(char *buf, size_t maxlen)
 		offs += snprintf(buf + offs, maxlen - offs,
 				 "%s%s",
 				 offs == 0 ? "" : " ", ca->name);
+
+		if (WARN_ON_ONCE(offs >= maxlen))
+			break;
 	}
 	rcu_read_unlock();
 }
@@ -285,6 +288,9 @@ void tcp_get_allowed_congestion_control(char *buf, size_t maxlen)
 		offs += snprintf(buf + offs, maxlen - offs,
 				 "%s%s",
 				 offs == 0 ? "" : " ", ca->name);
+
+		if (WARN_ON_ONCE(offs >= maxlen))
+			break;
 	}
 	rcu_read_unlock();
 }
author	Hangbin Liu <liuhangbin@gmail.com>	2019-11-20 16:38:08 +0800
committer	David S. Miller <davem@davemloft.net>	2019-11-20 22:23:36 -0800
commit	9bb59a21f53e7231696257d5e6283a4fbacfb43f (patch)
tree	74a2d5c284838dca140388d71a7f226057aa9b36 /net/ipv4/tcp_cong.c
parent	c0d59da79534e85eb550d863e35eccc8c3fd8ceb (diff)