From 96a8d14e875a017f9e9e71d93433414e9fb8863f Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Thu, 24 Jan 2013 09:41:43 +0300 Subject: [PATCH] staging: cxt1e1: buffer overflow in do_del_chan() If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman --- drivers/staging/cxt1e1/linux.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c index 0ff2865edec8..a829b6231a66 100644 --- a/drivers/staging/cxt1e1/linux.c +++ b/drivers/staging/cxt1e1/linux.c @@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data) if (copy_from_user (&cp, data, sizeof (struct sbecom_chan_param))) return -EFAULT; - sprintf (buf, CHANNAME "%d", cp.channum); + if (cp.channum > 999) + return -EINVAL; + snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum); if (!(dev = dev_get_by_name (&init_net, buf))) return -ENOENT; dev_put (dev); -- 2.39.5