From patchwork Tue Apr 21 09:31:10 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Carpenter X-Patchwork-Id: 29217 Received: from mail.tu-berlin.de ([130.149.7.33]) by www.linuxtv.org with esmtp (Exim 4.72) (envelope-from ) id 1YkUWp-0004NA-DO; Tue, 21 Apr 2015 11:31:39 +0200 X-tubIT-Incoming-IP: 209.132.180.67 Received: from vger.kernel.org ([209.132.180.67]) by mail.tu-berlin.de (exim-4.76/mailfrontend-7) with esmtp id 1YkUWk-0004g9-2Q; Tue, 21 Apr 2015 11:31:36 +0200 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751297AbbDUJbb (ORCPT + 1 other); Tue, 21 Apr 2015 05:31:31 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:26710 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750867AbbDUJba (ORCPT ); Tue, 21 Apr 2015 05:31:30 -0400 Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t3L9VPmP010816 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 21 Apr 2015 09:31:25 GMT Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0021.oracle.com (8.13.8/8.13.8) with ESMTP id t3L9VOd9027228 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 21 Apr 2015 09:31:24 GMT Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t3L9VNDf015923; Tue, 21 Apr 2015 09:31:23 GMT Received: from mwanda (/154.0.139.178) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 21 Apr 2015 02:31:22 -0700 Date: Tue, 21 Apr 2015 12:31:10 +0300 From: Dan Carpenter To: Hyun Kwon Cc: Laurent Pinchart , Mauro Carvalho Chehab , Michal Simek , =?iso-8859-1?Q?S=F6ren?= Brinkmann , linux-media@vger.kernel.org, kernel-janitors@vger.kernel.org Subject: [patch] [media] v4l: xilinx: harmless buffer overflow Message-ID: <20150421093110.GD12098@mwanda> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.23 (2014-03-12) X-Source-IP: aserv0021.oracle.com [141.146.126.233] Sender: linux-media-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-media@vger.kernel.org X-PMX-Version: 6.0.0.2142326, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.4.21.92119 X-PMX-Spam: Gauge=IIIIIIIII, Probability=9%, Report=' MULTIPLE_RCPTS 0.1, HTML_00_01 0.05, HTML_00_10 0.05, MSGID_ADDED_BY_MTA 0.05, BODYTEXTP_SIZE_3000_LESS 0, BODY_SIZE_1500_1599 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, INVALID_MSGID_NO_FQDN 0, URI_ENDS_IN_HTML 0, __ANY_URI 0, __CD 0, __CP_URI_IN_BODY 0, __CT 0, __CT_TEXT_PLAIN 0, __DATE_TZ_RU 0, __HAS_FROM 0, __HAS_MSGID 0, __HAS_X_MAILING_LIST 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __MULTIPLE_RCPTS_CC_X2 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __TO_MALFORMED_2 0, __URI_NO_WWW 0, __URI_NS , __USER_AGENT 0' My static checker warns that the name of the port can be 15 characters when you consider the NUL terminator and that's one more than the 14 characters in name[]. Maybe it's an off-by-one? It's unlikely that we hit the limit and even if we do the overflow will only affect one of the two bytes of padding so it's harmless. Still let's fix it and also change the sprintf() to snprintf(). Signed-off-by: Dan Carpenter Acked-by: Laurent Pinchart --- To unsubscribe from this list: send the line "unsubscribe linux-media" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/media/platform/xilinx/xilinx-dma.c b/drivers/media/platform/xilinx/xilinx-dma.c index efde88a..98e50e4 100644 --- a/drivers/media/platform/xilinx/xilinx-dma.c +++ b/drivers/media/platform/xilinx/xilinx-dma.c @@ -653,7 +653,7 @@ static const struct v4l2_file_operations xvip_dma_fops = { int xvip_dma_init(struct xvip_composite_device *xdev, struct xvip_dma *dma, enum v4l2_buf_type type, unsigned int port) { - char name[14]; + char name[16]; int ret; dma->xdev = xdev; @@ -725,7 +725,7 @@ int xvip_dma_init(struct xvip_composite_device *xdev, struct xvip_dma *dma, } /* ... and the DMA channel. */ - sprintf(name, "port%u", port); + snprintf(name, sizeof(name), "port%u", port); dma->dma = dma_request_slave_channel(dma->xdev->dev, name); if (dma->dma == NULL) { dev_err(dma->xdev->dev, "no VDMA channel found\n");