Commit 96a8d14e authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

staging: cxt1e1: buffer overflow in do_del_chan()

If we don't restrict "cp.channum" to 3 digits then the sprintf() will
overflow.  I've added a check and changed the sprintf() to snprintf().
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 392c6ff8
...@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data) ...@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
if (copy_from_user (&cp, data, if (copy_from_user (&cp, data,
sizeof (struct sbecom_chan_param))) sizeof (struct sbecom_chan_param)))
return -EFAULT; return -EFAULT;
sprintf (buf, CHANNAME "%d", cp.channum); if (cp.channum > 999)
return -EINVAL;
snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
if (!(dev = dev_get_by_name (&init_net, buf))) if (!(dev = dev_get_by_name (&init_net, buf)))
return -ENOENT; return -ENOENT;
dev_put (dev); dev_put (dev);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment