If we don't restrict "cp.channum" to 3 digits then the sprintf() will overflow. I've added a check and changed the sprintf() to snprintf(). Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> diff --git a/drivers/staging/cxt1e1/linux.c b/drivers/staging/cxt1e1/linux.c index 0ff2865..a829b62 100644 --- a/drivers/staging/cxt1e1/linux.c +++ b/drivers/staging/cxt1e1/linux.c @@ -773,7 +773,9 @@ do_del_chan (struct net_device * musycc_dev, void *data) if (copy_from_user (&cp, data, sizeof (struct sbecom_chan_param))) return -EFAULT; - sprintf (buf, CHANNAME "%d", cp.channum); + if (cp.channum > 999) + return -EINVAL; + snprintf (buf, sizeof(buf), CHANNAME "%d", cp.channum); if (!(dev = dev_get_by_name (&init_net, buf))) return -ENOENT; dev_put (dev); -- To unsubscribe from this list: send the line "unsubscribe kernel-janitors" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html