From: Dan Carpenter Date: Thu, 24 Jan 2013 06:41:43 +0000 (+0300) Subject: staging: cxt1e1: buffer overflow in do_del_chan() X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=96a8d14e875a017f9e9e71d93433414e9fb8863f;p=GitHub%2FLineageOS%2FG12%2Fandroid_kernel_amlogic_linux-4.9.git staging: cxt1e1: buffer overflow in do_del_chan() If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c index 0ff2865edec8..a829b6231a66 100644 --- a/drivers/staging/cxt1e1/linux.c +++ b/drivers/staging/cxt1e1/linux.c @@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data) if (copy_from_user (&cp, data, sizeof (struct sbecom_chan_param))) return -EFAULT; - sprintf (buf, CHANNAME "%d", cp.channum); + if (cp.channum > 999) + return -EINVAL; + snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum); if (!(dev = dev_get_by_name (&init_net, buf))) return -ENOENT; dev_put (dev);