Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 96a8d14e authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman
Browse files

staging: cxt1e1: buffer overflow in do_del_chan() 



If we don't restrict "cp.channum" to 3 digits then the sprintf() will
overflow.  I've added a check and changed the sprintf() to snprintf().

Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 392c6ff8

drivers/staging/cxt1e1/linux.c

+3 −1
Original line number Diff line number Diff line
@@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data) 
    if (copy_from_user (&cp, data,

                        sizeof (struct sbecom_chan_param)))

        return -EFAULT;

    sprintf (buf, CHANNAME "%d", cp.channum);

    if (cp.channum > 999)

        return -EINVAL;

    snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);

    if (!(dev = dev_get_by_name (&init_net, buf)))

        return -ENOENT;

    dev_put (dev);