staging: cxt1e1: buffer overflow in do_del_chan()

If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Dan Carpenter <dan.carpenter@oracle.com> 2013-01-24 09:41:43 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-01-25 11:21:26 -0800
commit: 96a8d14e875a017f9e9e71d93433414e9fb8863f (patch)
tree: 80e1968fc8318243921c35be0cf6324f4fa01e9f
parent: 392c6ff87f568d573239b763855160d1f06114de (diff)
download: linux-96a8d14e875a017f9e9e71d93433414e9fb8863f.tar.bz2
1 files changed, 3 insertions, 1 deletions
diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c
index 0ff2865edec8..a829b6231a66 100644
--- a/drivers/staging/cxt1e1/linux.c
+++ b/drivers/staging/cxt1e1/linux.c
@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
     if (copy_from_user (&cp, data,
                         sizeof (struct sbecom_chan_param)))
         return -EFAULT;
-    sprintf (buf, CHANNAME "%d", cp.channum);
+    if (cp.channum > 999)
+        return -EINVAL;
+    snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
     if (!(dev = dev_get_by_name (&init_net, buf)))
         return -ENOENT;
     dev_put (dev);
author	Dan Carpenter <dan.carpenter@oracle.com>	2013-01-24 09:41:43 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-01-25 11:21:26 -0800
commit	96a8d14e875a017f9e9e71d93433414e9fb8863f (patch)
tree	80e1968fc8318243921c35be0cf6324f4fa01e9f
parent	392c6ff87f568d573239b763855160d1f06114de (diff)
download	linux-96a8d14e875a017f9e9e71d93433414e9fb8863f.tar.bz2