tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

ALSA: cs423x: fix format string overflow warning

The snd_pcm name may overflow the card->longname total size:

sound/isa/cs423x/cs4231.c: In function 'snd_cs4231_probe':
sound/isa/cs423x/cs4231.c:115:26: error: ' at 0x' directive writing 6 bytes into a region of size between 1 and 80 [-Werror=format-overflow=] 0x%lx, irq %d, dma %d",
sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This changes the driver to use snprintf() so we truncate the string
instead of overflowing into the next field if that happens.

I decided to split out the second format string for the extra
DMA channel to keep the code simpler.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

authored by

Arnd Bergmann and committed by
Takashi Iwai 6d8b04de 8a463639

+21 -15
+10 -6
sound/isa/cs423x/cs4231.c
··· 109 109 if (error < 0) 110 110 goto out; 111 111 112 - strcpy(card->driver, "CS4231"); 113 - strcpy(card->shortname, chip->pcm->name); 112 + strlcpy(card->driver, "CS4231", sizeof(card->driver)); 113 + strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname)); 114 114 115 - sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d", 116 - chip->pcm->name, chip->port, irq[n], dma1[n]); 117 - if (dma2[n] >= 0) 118 - sprintf(card->longname + strlen(card->longname), "&%d", dma2[n]); 115 + if (dma2[n] < 0) 116 + snprintf(card->longname, sizeof(card->longname), 117 + "%s at 0x%lx, irq %d, dma %d", 118 + chip->pcm->name, chip->port, irq[n], dma1[n]); 119 + else 120 + snprintf(card->longname, sizeof(card->longname), 121 + "%s at 0x%lx, irq %d, dma %d&%d", 122 + chip->pcm->name, chip->port, irq[n], dma1[n], dma2[n]); 119 123 120 124 error = snd_wss_mixer(chip); 121 125 if (error < 0)
+11 -9
sound/isa/cs423x/cs4236.c
··· 419 419 if (err < 0) 420 420 return err; 421 421 } 422 - strcpy(card->driver, chip->pcm->name); 423 - strcpy(card->shortname, chip->pcm->name); 424 - sprintf(card->longname, "%s at 0x%lx, irq %i, dma %i", 425 - chip->pcm->name, 426 - chip->port, 427 - irq[dev], 428 - dma1[dev]); 429 - if (dma2[dev] >= 0) 430 - sprintf(card->longname + strlen(card->longname), "&%d", dma2[dev]); 422 + strlcpy(card->driver, chip->pcm->name, sizeof(card->driver)); 423 + strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname)); 424 + if (dma2[dev] < 0) 425 + snprintf(card->longname, sizeof(card->longname), 426 + "%s at 0x%lx, irq %i, dma %i", 427 + chip->pcm->name, chip->port, irq[dev], dma1[dev]); 428 + else 429 + snprintf(card->longname, sizeof(card->longname), 430 + "%s at 0x%lx, irq %i, dma %i&%d", 431 + chip->pcm->name, chip->port, irq[dev], dma1[dev], 432 + dma2[dev]); 431 433 432 434 err = snd_wss_timer(chip, 0); 433 435 if (err < 0)