[PATCH 1/7] ALSA: asihpi: bound control name formatting

[PATCH 1/7] ALSA: asihpi: bound control name formatting

[Pengpeng Hou]

asihpi_ctl_init() builds mixer control names in the fixed 44-byte
hpi_ctl->name buffer, but it currently does so with sprintf(). Some
source/destination node names are already long enough that combining both
endpoints, their indices, the direction prefix, and the control name can
run past the end of the buffer.

Switch the formatting to snprintf() so the driver never writes past the
ALSA control name storage.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 sound/pci/asihpi/asihpi.c | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/sound/pci/asihpi/asihpi.c b/sound/pci/asihpi/asihpi.c
index 3a64d0562803..f8bcc05c8742 100644
--- a/sound/pci/asihpi/asihpi.c
+++ b/sound/pci/asihpi/asihpi.c
@@ -1384,22 +1384,25 @@ static void asihpi_ctl_init(struct snd_kcontrol_new *snd_control,
 		dir = "Playback "; /* PCM Playback source, or  output node */
 
 	if (hpi_ctl->src_node_type && hpi_ctl->dst_node_type)
-		sprintf(hpi_ctl->name, "%s %d %s %d %s%s",
+		snprintf(hpi_ctl->name, sizeof(hpi_ctl->name),
+			 "%s %d %s %d %s%s",
 			asihpi_src_names[hpi_ctl->src_node_type],
 			hpi_ctl->src_node_index,
 			asihpi_dst_names[hpi_ctl->dst_node_type],
 			hpi_ctl->dst_node_index,
 			dir, name);
 	else if (hpi_ctl->dst_node_type) {
-		sprintf(hpi_ctl->name, "%s %d %s%s",
-		asihpi_dst_names[hpi_ctl->dst_node_type],
-		hpi_ctl->dst_node_index,
-		dir, name);
+		snprintf(hpi_ctl->name, sizeof(hpi_ctl->name),
+			 "%s %d %s%s",
+			 asihpi_dst_names[hpi_ctl->dst_node_type],
+			 hpi_ctl->dst_node_index,
+			 dir, name);
 	} else {
-		sprintf(hpi_ctl->name, "%s %d %s%s",
-		asihpi_src_names[hpi_ctl->src_node_type],
-		hpi_ctl->src_node_index,
-		dir, name);
+		snprintf(hpi_ctl->name, sizeof(hpi_ctl->name),
+			 "%s %d %s%s",
+			 asihpi_src_names[hpi_ctl->src_node_type],
+			 hpi_ctl->src_node_index,
+			 dir, name);
 	}
 }
 
@@ -2957,4 +2960,3 @@ static void __exit snd_asihpi_exit(void)
 
 module_init(snd_asihpi_init)
 module_exit(snd_asihpi_exit)
-
-- 
2.50.1 (Apple Git-155)

Re: [PATCH 1/7] ALSA: asihpi: bound control name formatting

[Takashi Iwai]

On Mon, 23 Mar 2026 08:03:10 +0100,
Pengpeng Hou wrote:
> 
> asihpi_ctl_init() builds mixer control names in the fixed 44-byte
> hpi_ctl->name buffer, but it currently does so with sprintf(). Some
> source/destination node names are already long enough that combining both
> endpoints, their indices, the direction prefix, and the control name can
> run past the end of the buffer.

Does it really overflow?  IOW, it's just for a defensive programming,
right?  Please clarify it, otherwise we'll receive an unnecessary CVE
number judged only from the description.

> Switch the formatting to snprintf() so the driver never writes past the
> ALSA control name storage.

For that purpose, please use scnprintf() instead.  snprintf() would
lead to other unnecessary warnings due to the potential overflow when
built with W=1, too.

> @@ -2957,4 +2960,3 @@ static void __exit snd_asihpi_exit(void)
>  
>  module_init(snd_asihpi_init)
>  module_exit(snd_asihpi_exit)
> -

This is unneeded change.  Please drop.


thanks,

Takashi