lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20170718114820.3681255-1-arnd@arndb.de>
Date:   Tue, 18 Jul 2017 13:48:04 +0200
From:   Arnd Bergmann <arnd@...db.de>
To:     Jaroslav Kysela <perex@...ex.cz>, Takashi Iwai <tiwai@...e.com>
Cc:     Arnd Bergmann <arnd@...db.de>, alsa-devel@...a-project.org,
        linux-kernel@...r.kernel.org
Subject: [PATCH v2 1/7] ALSA: als100: fix format string overflow warning

The compiler sees that the format string might overflow for the longname:

sound/isa/als100.c: In function 'snd_als100_pnp_detect':
sound/isa/als100.c:225:27: error: ', dma ' directive writing 6 bytes into a region of size between 0 and 64 [-Werror=format-overflow=]
   sprintf(card->longname, "%s, %s at 0x%lx, irq %d, dma %d",
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/isa/als100.c:225:3: note: 'sprintf' output between 24 and 113 bytes into a destination of size 80
   sprintf(card->longname, "%s, %s at 0x%lx, irq %d, dma %d",

Open-coding "shortname" here gets us below the limit, and using
snprintf() is a good idea too.

Signed-off-by: Arnd Bergmann <arnd@...db.de>
---
 sound/isa/als100.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/sound/isa/als100.c b/sound/isa/als100.c
index bc9ea306ee02..6a2c5b48f3ae 100644
--- a/sound/isa/als100.c
+++ b/sound/isa/als100.c
@@ -222,15 +222,16 @@ static int snd_card_als100_probe(int dev,
 	if (pid->driver_data == SB_HW_DT019X) {
 		strcpy(card->driver, "DT-019X");
 		strcpy(card->shortname, "Diamond Tech. DT-019X");
-		sprintf(card->longname, "%s, %s at 0x%lx, irq %d, dma %d",
-			card->shortname, chip->name, chip->port,
-			irq[dev], dma8[dev]);
+		snprintf(card->longname, sizeof(card->longname),
+			 "Diamond Tech. DT-019X, %s at 0x%lx, irq %d, dma %d",
+			 chip->name, chip->port, irq[dev], dma8[dev]);
 	} else {
 		strcpy(card->driver, "ALS100");
 		strcpy(card->shortname, "Avance Logic ALS100");
-		sprintf(card->longname, "%s, %s at 0x%lx, irq %d, dma %d&%d",
-			card->shortname, chip->name, chip->port,
-			irq[dev], dma8[dev], dma16[dev]);
+		snprintf(card->longname, sizeof(card->longname),
+			 "Avance Logic ALS100, %s at 0x%lx, irq %d, dma %d&%d",
+			 chip->name, chip->port, irq[dev], dma8[dev],
+			 dma16[dev]);
 	}
 
 	if ((error = snd_sb16dsp_pcm(chip, 0)) < 0) {
-- 
2.9.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ