From: Johannes Berg <johannes@sipsolutions.net>

I was playing with some code that sometimes got a string where a %n
match should have been done where the input string ended, for example
like this:

  sscanf("abc123", "abc%d%n", &a, &n);  /* doesn't work */
  sscanf("abc123a", "abc%d%n", &a, &n); /* works */

However, the scanf function in the kernel doesn't convert the %n in that
case because it has already matched the complete input after %d and just
completely stops matching then. This patch fixes that.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 lib/vsprintf.c |    9 +++++++++
 1 file changed, 9 insertions(+)

diff -puN lib/vsprintf.c~fix-sscanf-%n-match-at-end-of-input-string lib/vsprintf.c
--- a/lib/vsprintf.c~fix-sscanf-%n-match-at-end-of-input-string
+++ a/lib/vsprintf.c
@@ -825,6 +825,15 @@ int vsscanf(const char * buf, const char
 			break;
 		str = next;
 	}
+
+	/* Now we've come all the way through so either the input string or
+	 * the format ended. In the former case, there can be a %n at the
+	 * current position in the format that needs to be filled. */
+	if (*fmt == '%' && *(fmt+1) == 'n') {
+		int *i = (int *)va_arg(args,int*);
+		*i = str - buf;
+	}
+
 	return num;
 }
 
_