[patch] staging: cxt1e1: buffer overflow in do_del

public inbox for kernel-janitors@vger.kernel.org
 help / color / mirror / Atom feed

* [patch] staging: cxt1e1: buffer overflow in do_del_chan()
@ 2013-01-24  6:41 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2013-01-24  6:41 UTC (permalink / raw)
  To: kernel-janitors

If we don't restrict "cp.channum" to 3 digits then the sprintf() will
overflow.  I've added a check and changed the sprintf() to snprintf().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c
index 0ff2865..a829b62 100644
--- a/drivers/staging/cxt1e1/linux.c
+++ b/drivers/staging/cxt1e1/linux.c
@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
     if (copy_from_user (&cp, data,
                         sizeof (struct sbecom_chan_param)))
         return -EFAULT;
-    sprintf (buf, CHANNAME "%d", cp.channum);
+    if (cp.channum > 999)
+        return -EINVAL;
+    snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
     if (!(dev = dev_get_by_name (&init_net, buf)))
         return -ENOENT;
     dev_put (dev);

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2013-01-24  6:41 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-24  6:41 [patch] staging: cxt1e1: buffer overflow in do_del_chan() Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox