Skip to content

Commit

Permalink
staging: cxt1e1: buffer overflow in do_del_chan()
Browse files Browse the repository at this point in the history 
If we don't restrict "cp.channum" to 3 digits then the sprintf() will
overflow.  I've added a check and changed the sprintf() to snprintf().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  • Loading branch information
Dan Carpenter authored and Greg Kroah-Hartman committed Jan 25, 2013
1 parent 392c6ff commit 96a8d14
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion drivers/staging/cxt1e1/linux.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
if (copy_from_user (&cp, data,
sizeof (struct sbecom_chan_param)))
return -EFAULT;
sprintf (buf, CHANNAME "%d", cp.channum);
if (cp.channum > 999)
return -EINVAL;
snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
if (!(dev = dev_get_by_name (&init_net, buf)))
return -ENOENT;
dev_put (dev);
Expand Down

0 comments on commit 96a8d14

Please sign in to comment.