Commit cb3f80c0 authored by David S. Miller's avatar David S. Miller

fs/openpromfs/inode.c: Prevent overflow of sprintf buffer.

parent 5e12f283
...@@ -282,24 +282,27 @@ static ssize_t property_read(struct file *filp, char *buf, ...@@ -282,24 +282,27 @@ static ssize_t property_read(struct file *filp, char *buf,
k += count; k += count;
} else if (op->flag & OPP_HEXSTRING) { } else if (op->flag & OPP_HEXSTRING) {
char buffer[2]; char buffer[8];
if ((k < i - 1) && (k & 1)) { if ((k < i - 1) && (k & 1)) {
sprintf (buffer, "%02x", *(op->value + (k >> 1))); sprintf (buffer, "%02x",
(unsigned) *(op->value + (k >> 1)) & 0xff);
if (put_user(buffer[1], &buf[k++ - filp->f_pos])) if (put_user(buffer[1], &buf[k++ - filp->f_pos]))
return -EFAULT; return -EFAULT;
count--; count--;
} }
for (; (count > 1) && (k < i - 1); k += 2) { for (; (count > 1) && (k < i - 1); k += 2) {
sprintf (buffer, "%02x", *(op->value + (k >> 1))); sprintf (buffer, "%02x",
(unsigned) *(op->value + (k >> 1)) & 0xff);
if (copy_to_user(buf + k - filp->f_pos, buffer, 2)) if (copy_to_user(buf + k - filp->f_pos, buffer, 2))
return -EFAULT; return -EFAULT;
count -= 2; count -= 2;
} }
if (count && (k < i - 1)) { if (count && (k < i - 1)) {
sprintf (buffer, "%02x", *(op->value + (k >> 1))); sprintf (buffer, "%02x",
(unsigned) *(op->value + (k >> 1)) & 0xff);
if (put_user(buffer[0], &buf[k++ - filp->f_pos])) if (put_user(buffer[0], &buf[k++ - filp->f_pos]))
return -EFAULT; return -EFAULT;
count--; count--;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment