The "chan" value comes from the user via sysfs. A large like UINT_MAX could overflow the buffer by three bytes. Make the buffer larger and use snprintf() instead of sprintf(). Fixes: 1aa66a3a135a ("ptp: ocp: Program the signal generators via PTP_CLK_REQ_PEROUT") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> --- drivers/ptp/ptp_ocp.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/ptp/ptp_ocp.c b/drivers/ptp/ptp_ocp.c index 56b04a7bba3a..f0565c4a85df 100644 --- a/drivers/ptp/ptp_ocp.c +++ b/drivers/ptp/ptp_ocp.c @@ -968,15 +968,15 @@ ptp_ocp_verify(struct ptp_clock_info *ptp_info, unsigned pin, enum ptp_pin_function func, unsigned chan) { struct ptp_ocp *bp = container_of(ptp_info, struct ptp_ocp, ptp_info); - char buf[16]; + char buf[20]; if (func != PTP_PF_PEROUT) return -EOPNOTSUPP; if (chan) - sprintf(buf, "OUT: GEN%d", chan); + snprintf(buf, sizeof(buf), "OUT: GEN%d", chan); else - sprintf(buf, "OUT: PHC"); + snprintf(buf, sizeof(buf), "OUT: PHC"); return ptp_ocp_sma_store(bp, buf, pin + 1); } -- 2.20.1