Re: [PATCH] dell-smbios: fix string overflow

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday 08 November 2017 13:08:39 Arnd Bergmann wrote:
> The new sysfs code overwrites two fixed-length character arrays
> that are each one byte shorter than they need to be, to hold
> the trailing \0:
> 
> drivers/platform/x86/dell-smbios.c: In function 'build_tokens_sysfs':
> drivers/platform/x86/dell-smbios.c:494:42: error: 'sprintf' writing a terminating nul past the end of the destination [-Werror=format-overflow=]
>    sprintf(buffer_location, "%04x_location",
> drivers/platform/x86/dell-smbios.c:494:3: note: 'sprintf' output 14 bytes into a destination of size 13
> drivers/platform/x86/dell-smbios.c:506:36: error: 'sprintf' writing a terminating nul past the end of the destination [-Werror=format-overflow=]
>    sprintf(buffer_value, "%04x_value",
> drivers/platform/x86/dell-smbios.c:506:3: note: 'sprintf' output 11 bytes into a destination of size 10
> 
> This changes it to just use kasprintf(), which always gets it right.
> 
> Fixes: 33b9ca1e53b4 ("platform/x86: dell-smbios: Add a sysfs interface for SMBIOS tokens")
> Signed-off-by: Arnd Bergmann <arnd@xxxxxxxx>

Reviewed-by: Pali Rohár <pali.rohar@xxxxxxxxx>

> ---
>  drivers/platform/x86/dell-smbios.c | 12 ++++--------
>  1 file changed, 4 insertions(+), 8 deletions(-)
> 
> diff --git a/drivers/platform/x86/dell-smbios.c b/drivers/platform/x86/dell-smbios.c
> index d99edd803c19..6a60db515bda 100644
> --- a/drivers/platform/x86/dell-smbios.c
> +++ b/drivers/platform/x86/dell-smbios.c
> @@ -463,8 +463,6 @@ static struct platform_driver platform_driver = {
>  
>  static int build_tokens_sysfs(struct platform_device *dev)
>  {
> -	char buffer_location[13];
> -	char buffer_value[10];
>  	char *location_name;
>  	char *value_name;
>  	size_t size;
> @@ -491,9 +489,8 @@ static int build_tokens_sysfs(struct platform_device *dev)
>  		if (da_tokens[i].tokenID == 0)
>  			continue;
>  		/* add location */
> -		sprintf(buffer_location, "%04x_location",
> -			da_tokens[i].tokenID);
> -		location_name = kstrdup(buffer_location, GFP_KERNEL);
> +		location_name = kasprintf(GFP_KERNEL, "%04x_location",
> +					  da_tokens[i].tokenID);
>  		if (location_name == NULL)
>  			goto out_unwind_strings;
>  		sysfs_attr_init(&token_location_attrs[i].attr);
> @@ -503,9 +500,8 @@ static int build_tokens_sysfs(struct platform_device *dev)
>  		token_attrs[j++] = &token_location_attrs[i].attr;
>  
>  		/* add value */
> -		sprintf(buffer_value, "%04x_value",
> -			da_tokens[i].tokenID);
> -		value_name = kstrdup(buffer_value, GFP_KERNEL);
> +		value_name = kasprintf(GFP_KERNEL, "%04x_value",
> +				       da_tokens[i].tokenID);
>  		if (value_name == NULL)
>  			goto loop_fail_create_value;
>  		sysfs_attr_init(&token_value_attrs[i].attr);

-- 
Pali Rohár
pali.rohar@xxxxxxxxx



[Index of Archives]     [Linux Kernel Development]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux