staging: cxt1e1: buffer overflow in do_del_chan()

If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

staging: cxt1e1: buffer overflow in do_del_chan()
If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
96a8d14e · Dan Carpenter · Greg Kroah-Hartman · 392c6ff8 · 96a8d14e
Commit 96a8d14e authored Jan 24, 2013 by Dan Carpenter Committed by Greg Kroah-Hartman Jan 25, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

drivers/staging/cxt1e1/linux.c drivers/staging/cxt1e1/linux.c +3 -1

No files found.
--- a/drivers/staging/cxt1e1/linux.c
+++ b/drivers/staging/cxt1e1/linux.c
@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
    if (copy_from_user (&cp, data,
                        sizeof (struct sbecom_chan_param)))
        return -EFAULT;
-    sprintf (buf, CHANNAME "%d", cp.channum);
+    if (cp.channum > 999)
+        return -EINVAL;
+    snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
    if (!(dev = dev_get_by_name (&init_net, buf)))
        return -ENOENT;
    dev_put (dev);