staging: cxt1e1: buffer overflow in do_del_chan()
authorDan Carpenter <dan.carpenter@oracle.com>
Thu, 24 Jan 2013 06:41:43 +0000 (09:41 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 25 Jan 2013 19:21:26 +0000 (11:21 -0800)
If we don't restrict "cp.channum" to 3 digits then the sprintf() will
overflow.  I've added a check and changed the sprintf() to snprintf().

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/cxt1e1/linux.c

index 0ff2865edec8d567688de5c2adb20fd7c9c514ad..a829b6231a6622bd72124ce4317f3c64bb243d83 100644 (file)
@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
     if (copy_from_user (&cp, data,
                         sizeof (struct sbecom_chan_param)))
         return -EFAULT;
-    sprintf (buf, CHANNAME "%d", cp.channum);
+    if (cp.channum > 999)
+        return -EINVAL;
+    snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
     if (!(dev = dev_get_by_name (&init_net, buf)))
         return -ENOENT;
     dev_put (dev);