greybus: firmware: fix potential stack corruption

Use snprintf when generating the firmware name to avoid stack corruption if the fixed-size buffer overflows. Note that the current buffer size appears to expect 16-bit ids while the they are actually 32-bit, something which could trigger the corruption. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>

greybus: firmware: fix potential stack corruption
Use snprintf when generating the firmware name to avoid stack corruption if the fixed-size buffer overflows. Note that the current buffer size appears to expect 16-bit ids while the they are actually 32-bit, something which could trigger the corruption. Signed-off-by: Johan Hovold <johan@hovoldconsulting.com> Reviewed-by: Viresh Kumar <viresh.kumar@linaro.org>
af0b4d5a · Johan Hovold · 977e209a · af0b4d5a
Commit af0b4d5a authored Aug 28, 2015 by Johan Hovold
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

drivers/staging/greybus/firmware.c drivers/staging/greybus/firmware.c +4 -3

No files found.
--- a/drivers/staging/greybus/firmware.c
+++ b/drivers/staging/greybus/firmware.c
@@ -38,9 +38,10 @@ static int download_firmware(struct gb_firmware *firmware, u8 stage)
 	 *
 	 * XXX Name it properly..
 	 */
-	sprintf(firmware_name, "ara:%04x:%04x:%04x:%04x:%04x.fw", intf->unipro_mfg_id,
+	snprintf(firmware_name, sizeof(firmware_name),
-		intf->unipro_prod_id, intf->ara_vend_id, intf->ara_prod_id,
+		 "ara:%04x:%04x:%04x:%04x:%04x.fw",
-		stage);
+		 intf->unipro_mfg_id, intf->unipro_prod_id,
+		 intf->ara_vend_id, intf->ara_prod_id, stage);
 	return request_firmware(&firmware->fw, firmware_name, &connection->dev);
 }