scsi: fusion: fix string overflow warning
authorArnd Bergmann <arnd@arndb.de>
Mon, 17 Jul 2017 12:00:00 +0000 (14:00 +0200)
committerMartin K. Petersen <martin.petersen@oracle.com>
Mon, 7 Aug 2017 18:04:02 +0000 (14:04 -0400)
gcc points out a theorerical string overflow:

drivers/message/fusion/mptbase.c: In function 'mpt_detach':
drivers/message/fusion/mptbase.c:2103:17: error: '%s' directive writing up to 31 bytes into a region of size 28 [-Werror=format-overflow=]
sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name);
               ^~~~~
drivers/message/fusion/mptbase.c:2103:2: note: 'sprintf' output between 13 and 44 bytes into a destination of size 32

We can simply double the size of the local buffer here to be on the
safe side, and using snprintf() instead of sprintf() protects us
if ioc->name was not terminated properly.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
drivers/message/fusion/mptbase.c

index 62cff5afc6bdc48d3a8b20b6ae38d3f4da77e139..84eab28665f37c148407a9bdeb99adccac5f788c 100644 (file)
@@ -2079,7 +2079,7 @@ void
 mpt_detach(struct pci_dev *pdev)
 {
        MPT_ADAPTER     *ioc = pci_get_drvdata(pdev);
-       char pname[32];
+       char pname[64];
        u8 cb_idx;
        unsigned long flags;
        struct workqueue_struct *wq;
@@ -2100,11 +2100,11 @@ mpt_detach(struct pci_dev *pdev)
        spin_unlock_irqrestore(&ioc->fw_event_lock, flags);
        destroy_workqueue(wq);
 
-       sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name);
+       snprintf(pname, sizeof(pname), MPT_PROCFS_MPTBASEDIR "/%s/summary", ioc->name);
        remove_proc_entry(pname, NULL);
-       sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s/info", ioc->name);
+       snprintf(pname, sizeof(pname), MPT_PROCFS_MPTBASEDIR "/%s/info", ioc->name);
        remove_proc_entry(pname, NULL);
-       sprintf(pname, MPT_PROCFS_MPTBASEDIR "/%s", ioc->name);
+       snprintf(pname, sizeof(pname), MPT_PROCFS_MPTBASEDIR "/%s", ioc->name);
        remove_proc_entry(pname, NULL);
 
        /* call per device driver remove entry point */