From b647de5716679e64c9b0233565ef658b07cc119b Mon Sep 17 00:00:00 2001
From: orbisai0security <mediratta01.pally@gmail.com>
Date: Thu, 14 May 2026 02:24:39 +0000
Subject: [PATCH 1/3] fix: V-008 security vulnerability

Automated security fix generated by Orbis Security AI

Signed-off-by: orbisai0security <mediratta01.pally@gmail.com>
---
 src/linux/qcom_usbnet/qcom_usbnet_main.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/linux/qcom_usbnet/qcom_usbnet_main.c b/src/linux/qcom_usbnet/qcom_usbnet_main.c
index 82b771d..488f56f 100644
--- a/src/linux/qcom_usbnet/qcom_usbnet_main.c
+++ b/src/linux/qcom_usbnet/qcom_usbnet_main.c
@@ -160,7 +160,7 @@ sGobiUSBNet *GobiAcquireDevice(char *mpKey, struct usbnet * pDev)
    }
    else 
    {
-      sprintf(commonDevName,"%s:%d-%s", mpKey, pDev->udev->bus->busnum, pDev->udev->devpath);
+      snprintf(commonDevName, sizeof(commonDevName), "%s:%d-%s", mpKey, pDev->udev->bus->busnum, pDev->udev->devpath);
       commonDevName[254] = '\0';
 
       list_for_each_entry(pGobiDev, &DeviceListIdle, node)
@@ -2481,7 +2481,7 @@ static ssize_t debug_show(struct kobject *kobj,
                qmi_sys = (qmi_sys<<8) + logLvl;   
             }
         }
-        return sprintf(buf, "%04x\n", qmi_sys);
+        return snprintf(buf, PAGE_SIZE, "%04x\n", qmi_sys);
 }
 
 static ssize_t debug_store(struct kobject *kobj, 
@@ -2576,7 +2576,7 @@ static ssize_t gobiQMITimer_show(struct kobject *kobj,
       #ifdef TX_AGGR
          ctx = &pDevOnRecord->tx_aggr_ctx;
          if (ctx->timer_interval)
-            return sprintf(buf, "%llu\n", ctx->timer_interval / (u32)NSEC_PER_MSEC);
+            return snprintf(buf, PAGE_SIZE, "%llu\n", ctx->timer_interval / (u32)NSEC_PER_MSEC);
       #endif
       }
    }
@@ -3129,7 +3129,7 @@ static ssize_t GobiUSBprocRead(struct file *file, char __user *ubuf,size_t count
     if(*ppos > 0 || count < BUFSIZE)
         return 0;
 
-    len += sprintf(buf, "%d %ld ms\n", debug_g, gtimer/NSEC_PER_USEC);
+    len += snprintf(buf, BUFSIZE, "%d %ld ms\n", debug_g, gtimer/NSEC_PER_USEC);
 
     if(copy_to_user(ubuf,buf,len))
         return -EFAULT;

From 49b72697c0253e9e15ef3abaf6799a44518ec9e4 Mon Sep 17 00:00:00 2001
From: OrbisAI Security <mediratta01.pally@gmail.com>
Date: Sat, 16 May 2026 10:09:25 +0530
Subject: [PATCH 2/3] fix: replace snprintf with scnprintf in sysfs/proc show
 handlers

scnprintf returns the actual number of bytes written (capped at n-1),
while snprintf returns the would-be length which can exceed the buffer.
This corrects the V-008 fix for debug_show, gobiQMITimer_show, and
GobiUSBprocRead per code review feedback on PR #42.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 src/linux/qcom_usbnet/qcom_usbnet_main.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/linux/qcom_usbnet/qcom_usbnet_main.c b/src/linux/qcom_usbnet/qcom_usbnet_main.c
index 488f56f..20b0521 100644
--- a/src/linux/qcom_usbnet/qcom_usbnet_main.c
+++ b/src/linux/qcom_usbnet/qcom_usbnet_main.c
@@ -2481,7 +2481,7 @@ static ssize_t debug_show(struct kobject *kobj,
                qmi_sys = (qmi_sys<<8) + logLvl;   
             }
         }
-        return snprintf(buf, PAGE_SIZE, "%04x\n", qmi_sys);
+        return scnprintf(buf, PAGE_SIZE, "%04x\n", qmi_sys);
 }
 
 static ssize_t debug_store(struct kobject *kobj, 
@@ -2576,7 +2576,7 @@ static ssize_t gobiQMITimer_show(struct kobject *kobj,
       #ifdef TX_AGGR
          ctx = &pDevOnRecord->tx_aggr_ctx;
          if (ctx->timer_interval)
-            return snprintf(buf, PAGE_SIZE, "%llu\n", ctx->timer_interval / (u32)NSEC_PER_MSEC);
+            return scnprintf(buf, PAGE_SIZE, "%llu\n", ctx->timer_interval / (u32)NSEC_PER_MSEC);
       #endif
       }
    }
@@ -3129,7 +3129,7 @@ static ssize_t GobiUSBprocRead(struct file *file, char __user *ubuf,size_t count
     if(*ppos > 0 || count < BUFSIZE)
         return 0;
 
-    len += snprintf(buf, BUFSIZE, "%d %ld ms\n", debug_g, gtimer/NSEC_PER_USEC);
+    len += scnprintf(buf, BUFSIZE, "%d %ld ms\n", debug_g, gtimer/NSEC_PER_USEC);
 
     if(copy_to_user(ubuf,buf,len))
         return -EFAULT;

From a17d79eae09e4ae49e7bfcdfd003f5b039625c06 Mon Sep 17 00:00:00 2001
From: OrbisAI Security <mediratta01.pally@gmail.com>
Date: Wed, 3 Jun 2026 13:09:57 +0530
Subject: [PATCH 3/3] fix: remove redundant null terminator after snprintf

snprintf() always null-terminates its output buffer, so the explicit
commonDevName[254] = '\0' assignment after the snprintf call is
unnecessary. Addresses review comment from @5656hcx on PR #42.

Signed-off-by: OrbisAI Security <mediratta01.pally@gmail.com>
---
 src/linux/qcom_usbnet/qcom_usbnet_main.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/linux/qcom_usbnet/qcom_usbnet_main.c b/src/linux/qcom_usbnet/qcom_usbnet_main.c
index 20b0521..434ac06 100644
--- a/src/linux/qcom_usbnet/qcom_usbnet_main.c
+++ b/src/linux/qcom_usbnet/qcom_usbnet_main.c
@@ -161,7 +161,6 @@ sGobiUSBNet *GobiAcquireDevice(char *mpKey, struct usbnet * pDev)
    else 
    {
       snprintf(commonDevName, sizeof(commonDevName), "%s:%d-%s", mpKey, pDev->udev->bus->busnum, pDev->udev->devpath);
-      commonDevName[254] = '\0';
 
       list_for_each_entry(pGobiDev, &DeviceListIdle, node)
       {