ALSA: cs423x: fix format string overflow warning
authorArnd Bergmann <arnd@arndb.de>
Tue, 18 Jul 2017 11:48:05 +0000 (13:48 +0200)
committerTakashi Iwai <tiwai@suse.de>
Tue, 18 Jul 2017 15:51:55 +0000 (17:51 +0200)
The snd_pcm name may overflow the card->longname total size:

sound/isa/cs423x/cs4231.c: In function 'snd_cs4231_probe':
sound/isa/cs423x/cs4231.c:115:26: error: ' at 0x' directive writing 6 bytes into a region of size between 1 and 80 [-Werror=format-overflow=] 0x%lx, irq %d, dma %d",
  sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d",
                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This changes the driver to use snprintf() so we truncate the string
instead of overflowing into the next field if that happens.

I decided to split out the second format string for the extra
DMA channel to keep the code simpler.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
sound/isa/cs423x/cs4231.c
sound/isa/cs423x/cs4236.c

index e8edd9017a2f22205b64a19b2adb68fe3f27beca..d90ab9558f7fd290904d7fbfedf38c47886d77dd 100644 (file)
@@ -109,13 +109,17 @@ static int snd_cs4231_probe(struct device *dev, unsigned int n)
        if (error < 0)
                goto out;
 
-       strcpy(card->driver, "CS4231");
-       strcpy(card->shortname, chip->pcm->name);
-
-       sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d",
-               chip->pcm->name, chip->port, irq[n], dma1[n]);
-       if (dma2[n] >= 0)
-               sprintf(card->longname + strlen(card->longname), "&%d", dma2[n]);
+       strlcpy(card->driver, "CS4231", sizeof(card->driver));
+       strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname));
+
+       if (dma2[n] < 0)
+               snprintf(card->longname, sizeof(card->longname),
+                        "%s at 0x%lx, irq %d, dma %d",
+                        chip->pcm->name, chip->port, irq[n], dma1[n]);
+       else
+               snprintf(card->longname, sizeof(card->longname),
+                        "%s at 0x%lx, irq %d, dma %d&%d",
+                        chip->pcm->name, chip->port, irq[n], dma1[n], dma2[n]);
 
        error = snd_wss_mixer(chip);
        if (error < 0)
index 1f9a3b2be7a1f705e40e15e8358a46b93e50a0f9..4c09756c73530bc2cfdc91a16cdc79ef9e7ac1b2 100644 (file)
@@ -419,15 +419,17 @@ static int snd_cs423x_probe(struct snd_card *card, int dev)
                if (err < 0)
                        return err;
        }
-       strcpy(card->driver, chip->pcm->name);
-       strcpy(card->shortname, chip->pcm->name);
-       sprintf(card->longname, "%s at 0x%lx, irq %i, dma %i",
-               chip->pcm->name,
-               chip->port,
-               irq[dev],
-               dma1[dev]);
-       if (dma2[dev] >= 0)
-               sprintf(card->longname + strlen(card->longname), "&%d", dma2[dev]);
+       strlcpy(card->driver, chip->pcm->name, sizeof(card->driver));
+       strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname));
+       if (dma2[dev] < 0)
+               snprintf(card->longname, sizeof(card->longname),
+                        "%s at 0x%lx, irq %i, dma %i",
+                        chip->pcm->name, chip->port, irq[dev], dma1[dev]);
+       else
+               snprintf(card->longname, sizeof(card->longname),
+                        "%s at 0x%lx, irq %i, dma %i&%d",
+                        chip->pcm->name, chip->port, irq[dev], dma1[dev],
+                        dma2[dev]);
 
        err = snd_wss_timer(chip, 0);
        if (err < 0)