[PATCH] speakup: replace sprintf() by scnprintf()

From: Samuel Thibault
Date: Wed Jun 30 2021 - 18:42:58 EST

Next message: kernel test robot: "[tip:sched/urgent] BUILD SUCCESS a22a5cb81e20657194fde6c835e07d28c4dfddbe"
Previous message: Halil Pasic: "Re: [PATCH] s390/vfio-ap: do not use open locks during VFIO_GROUP_NOTIFY_SET_KVM notification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Replace sprintf() by scnprintf() in order to avoid buffer overflows.

Signed-off-by: Salah Triki <salah.triki@xxxxxxxxx>
Signed-off-by: Samuel Thibault <samuel.thibault@xxxxxxxxxxxx>
---
drivers/accessibility/speakup/speakup_soft.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/accessibility/speakup/speakup_soft.c b/drivers/accessibility/speakup/speakup_soft.c
index c3f97c572fb6..19824e7006fe 100644
--- a/drivers/accessibility/speakup/speakup_soft.c
+++ b/drivers/accessibility/speakup/speakup_soft.c
@@ -153,18 +153,25 @@ static char *get_initstring(void)
static char buf[40];
char *cp;
struct var_t *var;
+ size_t len;
+ size_t n;

memset(buf, 0, sizeof(buf));
cp = buf;
+ len = sizeof(buf);
+
var = synth_soft.vars;
while (var->var_id != MAXVARS) {
if (var->var_id != CAPS_START && var->var_id != CAPS_STOP &&
- var->var_id != PAUSE && var->var_id != DIRECT)
- cp = cp + sprintf(cp, var->u.n.synth_fmt,
- var->u.n.value);
+ var->var_id != PAUSE && var->var_id != DIRECT) {
+ n = scnprintf(cp, len, var->u.n.synth_fmt,
+ var->u.n.value);
+ cp = cp + n;
+ len = len - n;
+ }
var++;
}
- cp = cp + sprintf(cp, "\n");
+ cp = cp + scnprintf(cp, len, "\n");
return buf;
}

--
2.25.1

Next message: kernel test robot: "[tip:sched/urgent] BUILD SUCCESS a22a5cb81e20657194fde6c835e07d28c4dfddbe"
Previous message: Halil Pasic: "Re: [PATCH] s390/vfio-ap: do not use open locks during VFIO_GROUP_NOTIFY_SET_KVM notification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]