Valid pathnames will never exceed PATH_MAX, but these file names
are unsanitized and can cause buffer overflow if set incorrectly.
Use snprintf to avoid this. This was flagged during a Coverity scan
of the coreboot project, which also uses kconfig for its build system.
Signed-off-by: Jacob Garber <jgarber1@xxxxxxxxxxx>
---
scripts/kconfig/confdata.c | 7 ++++---
scripts/kconfig/lexer.l | 3 ++-
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
index 08ba146a8..847fe428a 100644
--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -194,7 +194,7 @@ char *conf_get_default_confname(void)
name = expand_string(conf_defname);
env = getenv(SRCTREE);
if (env) {
- sprintf(fullname, "%s/%s", env, name);
+ snprintf(fullname, sizeof(fullname), "%s/%s", env, name);
if (is_present(fullname))
return fullname;
}
@@ -843,10 +843,11 @@ int conf_write(const char *name)
} else
basename = conf_get_configname();
- sprintf(newname, "%s%s", dirname, basename);
+ snprintf(newname, sizeof(newname), "%s%s", dirname, basename);
env = getenv("KCONFIG_OVERWRITECONFIG");
if (!env || !*env) {
- sprintf(tmpname, "%s.tmpconfig.%d", dirname, (int)getpid());
+ snprintf(tmpname, sizeof(tmpname),
+ "%s.tmpconfig.%d", dirname, (int)getpid());
out = fopen(tmpname, "w");
} else {
*tmpname = 0;
diff --git a/scripts/kconfig/lexer.l b/scripts/kconfig/lexer.l
index c9df1c8b9..6354c905b 100644
--- a/scripts/kconfig/lexer.l
+++ b/scripts/kconfig/lexer.l
@@ -378,7 +378,8 @@ FILE *zconf_fopen(const char *name)
if (!f && name != NULL && name[0] != '/') {
env = getenv(SRCTREE);
if (env) {
- sprintf(fullname, "%s/%s", env, name);
+ snprintf(fullname, sizeof(fullname),
+ "%s/%s", env, name);
f = fopen(fullname, "r");
}
}
--
2.21.0
