strcpy() performs no bounds checking on the destination buffer. This could result in linear overflows beyond the end of the buffer, leading to all kinds of misbehaviors. The safe replacement is strscpy(). Signed-off-by: Len Baker <len.baker@xxxxxxx> --- drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c | 2 +- drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c index df90c1f9d148..1b184d5c6b82 100644 --- a/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c +++ b/drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c @@ -884,7 +884,7 @@ static int vidioc_querycap(struct file *file, void *priv, vchiq_mmal_version(dev->instance, &major, &minor); - strcpy((char *)cap->driver, "bm2835 mmal"); + strscpy(cap->driver, "bm2835 mmal", sizeof(cap->driver)); snprintf((char *)cap->card, sizeof(cap->card), "mmal service %d.%d", major, minor); diff --git a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c index 4f43e4213bfe..9429b8a642fb 100644 --- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c +++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_core.c @@ -3716,7 +3716,7 @@ int vchiq_dump_service_state(void *dump_context, struct vchiq_service *service) sizeof(remoteport) - len2, " (client %x)", service->client_id); } else { - strcpy(remoteport, "n/a"); + strscpy(remoteport, "n/a", sizeof(remoteport)); } len += scnprintf(buf + len, sizeof(buf) - len, -- 2.25.1