greybus: firmware: fix potential stack corruption
authorJohan Hovold <johan@hovoldconsulting.com>
Fri, 28 Aug 2015 09:58:24 +0000 (11:58 +0200)
committerJohan Hovold <johan@hovoldconsulting.com>
Tue, 1 Sep 2015 12:42:02 +0000 (14:42 +0200)
Use snprintf when generating the firmware name to avoid stack corruption
if the fixed-size buffer overflows.

Note that the current buffer size appears to expect 16-bit ids while
the they are actually 32-bit, something which could trigger the
corruption.

Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
drivers/staging/greybus/firmware.c

index 13efaabb891be3d682d33758a11cd10eeeed2676..e888b7ae4c593c1bc91d866412ab944b262eabb0 100644 (file)
@@ -38,9 +38,10 @@ static int download_firmware(struct gb_firmware *firmware, u8 stage)
         *
         * XXX Name it properly..
         */
-       sprintf(firmware_name, "ara:%04x:%04x:%04x:%04x:%04x.fw", intf->unipro_mfg_id,
-               intf->unipro_prod_id, intf->ara_vend_id, intf->ara_prod_id,
-               stage);
+       snprintf(firmware_name, sizeof(firmware_name),
+                "ara:%04x:%04x:%04x:%04x:%04x.fw",
+                intf->unipro_mfg_id, intf->unipro_prod_id,
+                intf->ara_vend_id, intf->ara_prod_id, stage);
 
        return request_firmware(&firmware->fw, firmware_name, &connection->dev);
 }