In miiphy_register() the new device's name was initialised by passing a string parameter as the format string to sprintf(). As this would cause problems if it ever contained a '%' symbol, switch to using strncpy() instead.

Signed-off-by: Laurence Withers lwithers@guralp.com Cc: Andy Fleming afleming@freescale.com --- Changes for v2: - Use strncpy() rather than plain strcpy() for extra safety.

Changes for v3: - Use BUG_ON() as an additional safety measure to ensure the name never exceeds the buffer size MDIO_NAME_LEN, simplifying the previous test. --- common/miiphyutil.c | 14 ++++---------- 1 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/common/miiphyutil.c b/common/miiphyutil.c index bcab74e..35ad357 100644 --- a/common/miiphyutil.c +++ b/common/miiphyutil.c @@ -111,7 +111,8 @@ void miiphy_register(const char *name, { struct mii_dev *new_dev; struct legacy_mii_dev *ldev; - unsigned int name_len; + + BUG_ON(strlen(name) >= MDIO_NAME_LEN);

/* check if we have unique name */ new_dev = miiphy_get_dev_by_name(name); @@ -121,14 +122,6 @@ void miiphy_register(const char *name, }

/* allocate memory */ - name_len = strlen(name); - if (name_len > MDIO_NAME_LEN - 1) { - /* Hopefully this won't happen, but if it does, we'll know */ - printf("miiphy_register: MDIO name was longer than %d\n", - MDIO_NAME_LEN); - return; - } - new_dev = mdio_alloc(); ldev = malloc(sizeof(*ldev));

@@ -141,7 +134,8 @@ void miiphy_register(const char *name, /* initalize mii_dev struct fields */ new_dev->read = legacy_miiphy_read; new_dev->write = legacy_miiphy_write; - sprintf(new_dev->name, name); + strncpy(new_dev->name, name, MDIO_NAME_LEN); + new_dev->name[MDIO_NAME_LEN - 1] = 0; ldev->read = read; ldev->write = write; new_dev->priv = ldev;