[U-Boot] [PATCH] fsl/sata: Replace sprintf() with snprintf()
From: Tang Yuantian Yuantian.Tang@freescale.com
Function 'sprintf' does not check buffer boundaries but outputs to the buffer of fixed size which could potentially cause buffer overflow. Use a safer function to replace it.
Signed-off-by: Tang Yuantian Yuantian.Tang@freescale.com --- drivers/block/fsl_sata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/block/fsl_sata.c b/drivers/block/fsl_sata.c index 71d7cec..735708a 100644 --- a/drivers/block/fsl_sata.c +++ b/drivers/block/fsl_sata.c @@ -113,7 +113,7 @@ int init_sata(int dev) /* Save the private struct to block device struct */ sata_dev_desc[dev].priv = (void *)sata;
- sprintf(sata->name, "SATA%d", dev); + snprintf(sata->name, 12, "SATA%d", dev);
/* Set the controller register base address to device struct */ reg = (fsl_sata_reg_t *)(fsl_sata_info[dev].sata_reg_base);
On Wed, May 06, 2015 at 11:21:33AM +0800, tang yuantian wrote:
From: Tang Yuantian Yuantian.Tang@freescale.com
Function 'sprintf' does not check buffer boundaries but outputs to the buffer of fixed size which could potentially cause buffer overflow. Use a safer function to replace it.
Signed-off-by: Tang Yuantian Yuantian.Tang@freescale.com
Applied to u-boot/master, thanks!
Hi,
On 28 May 2015 at 07:25, Tom Rini trini@konsulko.com wrote:
On Wed, May 06, 2015 at 11:21:33AM +0800, tang yuantian wrote:
From: Tang Yuantian Yuantian.Tang@freescale.com
Function 'sprintf' does not check buffer boundaries but outputs to the buffer of fixed size which could potentially cause buffer overflow. Use a safer function to replace it.
Signed-off-by: Tang Yuantian Yuantian.Tang@freescale.com
Applied to u-boot/master, thanks!
Just in case others miss it, you need to enable an option to make this actually change something:
- Safe printf() functions Define CONFIG_SYS_VSNPRINTF to compile in safe versions of the printf() functions. These are defined in include/vsprintf.h and include snprintf(), vsnprintf() and so on. Code size increase is approximately 300-500 bytes. If this option is not given then these functions will silently discard their buffer size argument - this means you are not getting any overflow checking in this case.
Regards, Simon
participants (3)
-
Simon Glass -
Tom Rini -
Yuantian.Tang@freescale.com