From db8ce746e13fa90fdc681ddfcf1d6e8f93f5733f Mon Sep 17 00:00:00 2001
From: khorben <khorben@NetBSD.org>
Date: Thu, 4 Jan 2018 00:09:12 +0000
Subject: [PATCH] Fix off-by-one when calling snprintf(9) in hdafg_getdev()

This is actually harmless, since:
- the offset is too short rather than too long (no overflow)
- the struct audio_device comes from userland (no information leak)

"looks good to me" nat@
---
 sys/dev/hdaudio/hdafg.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sys/dev/hdaudio/hdafg.c b/sys/dev/hdaudio/hdafg.c
index 267c7b002a5f..301cb30cda92 100644
--- a/sys/dev/hdaudio/hdafg.c
+++ b/sys/dev/hdaudio/hdafg.c
@@ -1,4 +1,4 @@
-/* $NetBSD: hdafg.c,v 1.13 2017/08/04 00:25:23 mrg Exp $ */
+/* $NetBSD: hdafg.c,v 1.14 2018/01/04 00:09:12 khorben Exp $ */
 
 /*
  * Copyright (c) 2009 Precedence Technologies Ltd <support@precedence.co.uk>
@@ -60,7 +60,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hdafg.c,v 1.13 2017/08/04 00:25:23 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hdafg.c,v 1.14 2018/01/04 00:09:12 khorben Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -4058,7 +4058,7 @@ hdafg_getdev(void *opaque, struct audio_device *audiodev)
 	    sc->sc_vendor);
 	hdaudio_findproduct(audiodev->version, sizeof(audiodev->version),
 	    sc->sc_vendor, sc->sc_product);
-	snprintf(audiodev->config, sizeof(audiodev->config) - 1,
+	snprintf(audiodev->config, sizeof(audiodev->config),
 	    "%02Xh", sc->sc_nid);
 
 	return 0;