On Tue, Jan 5, 2016 at 11:45 AM, Viresh Kumar viresh.kumar@linaro.org wrote:
sprintf() can access memory outside of the range of the character array, and is risky in some situations. The driver specified prop_name string can be longer than NAME_MAX here (only an attacker will do that though) and so blindly copying it into the character array of size NAME_MAX isn't safe. Instead we must use snprintf() here.
Thanks!
Reported-by: Geert Uytterhoeven geert@linux-m68k.org Signed-off-by: Viresh Kumar viresh.kumar@linaro.org
Acked-by: Geert Uytterhoeven geert+renesas@glider.be
Gr{oetje,eeting}s,
Geert
-- Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- geert@linux-m68k.org
In personal conversations with technical people, I call myself a hacker. But when I'm talking to journalists I just say "programmer" or something like that. -- Linus Torvalds