Commit cb3f80c0 authored by David S. Miller's avatar David S. Miller

fs/openpromfs/inode.c: Prevent overflow of sprintf buffer.

parent 5e12f283
......@@ -282,24 +282,27 @@ static ssize_t property_read(struct file *filp, char *buf,
k += count;
} else if (op->flag & OPP_HEXSTRING) {
char buffer[2];
char buffer[8];
if ((k < i - 1) && (k & 1)) {
sprintf (buffer, "%02x", *(op->value + (k >> 1)));
sprintf (buffer, "%02x",
(unsigned) *(op->value + (k >> 1)) & 0xff);
if (put_user(buffer[1], &buf[k++ - filp->f_pos]))
return -EFAULT;
count--;
}
for (; (count > 1) && (k < i - 1); k += 2) {
sprintf (buffer, "%02x", *(op->value + (k >> 1)));
sprintf (buffer, "%02x",
(unsigned) *(op->value + (k >> 1)) & 0xff);
if (copy_to_user(buf + k - filp->f_pos, buffer, 2))
return -EFAULT;
count -= 2;
}
if (count && (k < i - 1)) {
sprintf (buffer, "%02x", *(op->value + (k >> 1)));
sprintf (buffer, "%02x",
(unsigned) *(op->value + (k >> 1)) & 0xff);
if (put_user(buffer[0], &buf[k++ - filp->f_pos]))
return -EFAULT;
count--;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment