[PATCH 5.10] nvmet: replace the dangerous sprintf function with the snprintf function

Alexandr Sapozhnikov alsp705 at gmail.com
Mon Nov 10 07:23:26 PST 2025 

Replaced the dangerous sprintf function with a safer equivalent, 
snprintf. This will improve driver security by checking for 
out-of-bounds errors in the page array.

Fixes: 7e764179c867 ("nvmet: use type-name map for address family")
Signed-off-by: Alexandr Sapozhnikov <alsp705 at gmail.com>
---
 drivers/nvme/target/configfs.c | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/drivers/nvme/target/configfs.c b/drivers/nvme/target/configfs.c
index 37e1d7784e17..49dfeb4194b9 100644
--- a/drivers/nvme/target/configfs.c
+++ b/drivers/nvme/target/configfs.c
@@ -60,10 +60,10 @@ static ssize_t nvmet_addr_adrfam_show(struct config_item *item, char *page)
 
 	for (i = 1; i < ARRAY_SIZE(nvmet_addr_family); i++) {
 		if (nvmet_addr_family[i].type == adrfam)
-			return sprintf(page, "%s\n", nvmet_addr_family[i].name);
+			return snprintf(page, PAGE_SIZE, "%s\n", nvmet_addr_family[i].name);
 	}
 
-	return sprintf(page, "\n");
+	return snprintf(page, PAGE_SIZE, "\n");
 }
 
 static ssize_t nvmet_addr_adrfam_store(struct config_item *item,
@@ -162,10 +162,10 @@ static ssize_t nvmet_addr_treq_show(struct config_item *item, char *page)
 
 	for (i = 0; i < ARRAY_SIZE(nvmet_addr_treq); i++) {
 		if (treq == nvmet_addr_treq[i].type)
-			return sprintf(page, "%s\n", nvmet_addr_treq[i].name);
+			return snprintf(page, PAGE_SIZE, "%s\n", nvmet_addr_treq[i].name);
 	}
 
-	return sprintf(page, "\n");
+	return snprintf(page, PAGE_SIZE, "\n");
 }
 
 static ssize_t nvmet_addr_treq_store(struct config_item *item,
@@ -286,10 +286,10 @@ static ssize_t nvmet_addr_trtype_show(struct config_item *item,
 
 	for (i = 0; i < ARRAY_SIZE(nvmet_transport); i++) {
 		if (port->disc_addr.trtype == nvmet_transport[i].type)
-			return sprintf(page, "%s\n", nvmet_transport[i].name);
+			return snprintf(page, PAGE_SIZE, "%s\n", nvmet_transport[i].name);
 	}
 
-	return sprintf(page, "\n");
+	return snprintf(page, PAGE_SIZE, "\n");
 }
 
 static void nvmet_port_init_tsas_rdma(struct nvmet_port *port)
@@ -331,7 +331,7 @@ CONFIGFS_ATTR(nvmet_, addr_trtype);
  */
 static ssize_t nvmet_ns_device_path_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%s\n", to_nvmet_ns(item)->device_path);
+	return snprintf(page, PAGE_SIZE, "%s\n", to_nvmet_ns(item)->device_path);
 }
 
 static ssize_t nvmet_ns_device_path_store(struct config_item *item,
@@ -412,7 +412,7 @@ CONFIGFS_ATTR(nvmet_ns_, p2pmem);
 
 static ssize_t nvmet_ns_device_uuid_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%pUb\n", &to_nvmet_ns(item)->uuid);
+	return snprintf(page, PAGE_SIZE, "%pUb\n", &to_nvmet_ns(item)->uuid);
 }
 
 static ssize_t nvmet_ns_device_uuid_store(struct config_item *item,
@@ -440,7 +440,7 @@ CONFIGFS_ATTR(nvmet_ns_, device_uuid);
 
 static ssize_t nvmet_ns_device_nguid_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%pUb\n", &to_nvmet_ns(item)->nguid);
+	return snprintf(page, PAGE_SIZE, "%pUb\n", &to_nvmet_ns(item)->nguid);
 }
 
 static ssize_t nvmet_ns_device_nguid_store(struct config_item *item,
@@ -486,7 +486,7 @@ CONFIGFS_ATTR(nvmet_ns_, device_nguid);
 
 static ssize_t nvmet_ns_ana_grpid_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%u\n", to_nvmet_ns(item)->anagrpid);
+	return snprintf(page, PAGE_SIZE, "%u\n", to_nvmet_ns(item)->anagrpid);
 }
 
 static ssize_t nvmet_ns_ana_grpid_store(struct config_item *item,
@@ -519,7 +519,7 @@ CONFIGFS_ATTR(nvmet_ns_, ana_grpid);
 
 static ssize_t nvmet_ns_enable_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%d\n", to_nvmet_ns(item)->enabled);
+	return snprintf(page, PAGE_SIZE, "%d\n", to_nvmet_ns(item)->enabled);
 }
 
 static ssize_t nvmet_ns_enable_store(struct config_item *item,
@@ -544,7 +544,7 @@ CONFIGFS_ATTR(nvmet_ns_, enable);
 
 static ssize_t nvmet_ns_buffered_io_show(struct config_item *item, char *page)
 {
-	return sprintf(page, "%d\n", to_nvmet_ns(item)->buffered_io);
+	return snprintf(page, PAGE_SIZE, "%d\n", to_nvmet_ns(item)->buffered_io);
 }
 
 static ssize_t nvmet_ns_buffered_io_store(struct config_item *item,
@@ -714,7 +714,7 @@ static ssize_t nvmet_passthru_enable_show(struct config_item *item,
 {
 	struct nvmet_subsys *subsys = to_subsys(item->ci_parent);
 
-	return sprintf(page, "%d\n", subsys->passthru_ctrl ? 1 : 0);
+	return snprintf(page, PAGE_SIZE, "%d\n", subsys->passthru_ctrl ? 1 : 0);
 }
 
 static ssize_t nvmet_passthru_enable_store(struct config_item *item,
@@ -1348,10 +1348,10 @@ static ssize_t nvmet_ana_group_ana_state_show(struct config_item *item,
 
 	for (i = 0; i < ARRAY_SIZE(nvmet_ana_state); i++) {
 		if (state == nvmet_ana_state[i].type)
-			return sprintf(page, "%s\n", nvmet_ana_state[i].name);
+			return snprintf(page, PAGE_SIZE, "%s\n", nvmet_ana_state[i].name);
 	}
 
-	return sprintf(page, "\n");
+	return snprintf(page, PAGE_SIZE, "\n");
 }
 
 static ssize_t nvmet_ana_group_ana_state_store(struct config_item *item,
-- 
2.51.0

More information about the Linux-nvme mailing list