forked from Minki/linux
staging: cxt1e1: buffer overflow in do_del_chan()
If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
392c6ff87f
commit
96a8d14e87
@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data)
|
||||
if (copy_from_user (&cp, data,
|
||||
sizeof (struct sbecom_chan_param)))
|
||||
return -EFAULT;
|
||||
sprintf (buf, CHANNAME "%d", cp.channum);
|
||||
if (cp.channum > 999)
|
||||
return -EINVAL;
|
||||
snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum);
|
||||
if (!(dev = dev_get_by_name (&init_net, buf)))
|
||||
return -ENOENT;
|
||||
dev_put (dev);
|
||||
|
Loading…
Reference in New Issue
Block a user