From 4505f40a6f1a6a1bb8f8ef84a4a35263d64b5125 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 17 Jan 2013 21:46:18 +0000 Subject: [PATCH] enic: change sprintf() to snprintf() These are copying data into 16 char arrays. They all specify that the first string can't be more than 11 characters but once you add on the "-rx-" and the NUL character there isn't space for the %d. The first string is probably never going to be 11 characters, but if it is then let's truncate the string instead of corrupting memory. Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller --- drivers/net/ethernet/cisco/enic/enic_main.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c index ebccebff1437..ec1a233622c6 100644 --- a/drivers/net/ethernet/cisco/enic/enic_main.c +++ b/drivers/net/ethernet/cisco/enic/enic_main.c @@ -1490,7 +1490,8 @@ static int enic_request_intr(struct enic *enic) for (i = 0; i < enic->rq_count; i++) { intr = enic_msix_rq_intr(enic, i); - sprintf(enic->msix[intr].devname, + snprintf(enic->msix[intr].devname, + sizeof(enic->msix[intr].devname), "%.11s-rx-%d", netdev->name, i); enic->msix[intr].isr = enic_isr_msix_rq; enic->msix[intr].devid = &enic->napi[i]; @@ -1498,20 +1499,23 @@ static int enic_request_intr(struct enic *enic) for (i = 0; i < enic->wq_count; i++) { intr = enic_msix_wq_intr(enic, i); - sprintf(enic->msix[intr].devname, + snprintf(enic->msix[intr].devname, + sizeof(enic->msix[intr].devname), "%.11s-tx-%d", netdev->name, i); enic->msix[intr].isr = enic_isr_msix_wq; enic->msix[intr].devid = enic; } intr = enic_msix_err_intr(enic); - sprintf(enic->msix[intr].devname, + snprintf(enic->msix[intr].devname, + sizeof(enic->msix[intr].devname), "%.11s-err", netdev->name); enic->msix[intr].isr = enic_isr_msix_err; enic->msix[intr].devid = enic; intr = enic_msix_notify_intr(enic); - sprintf(enic->msix[intr].devname, + snprintf(enic->msix[intr].devname, + sizeof(enic->msix[intr].devname), "%.11s-notify", netdev->name); enic->msix[intr].isr = enic_isr_msix_notify; enic->msix[intr].devid = enic; -- 2.20.1