The snd_pcm name may overflow the card->longname total size:
sound/isa/cs423x/cs4231.c: In function 'snd_cs4231_probe': sound/isa/cs423x/cs4231.c:115:26: error: ' at 0x' directive writing 6 bytes into a region of size between 1 and 80 [-Werror=format-overflow=] 0x%lx, irq %d, dma %d", sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d", ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This changes the driver to use snprintf() so we truncate the string instead of overflowing into the next field if that happens.
I decided to split out the second format string for the extra DMA channel to keep the code simpler.
Signed-off-by: Arnd Bergmann arnd@arndb.de --- sound/isa/cs423x/cs4231.c | 18 +++++++++++------- sound/isa/cs423x/cs4236.c | 20 +++++++++++--------- 2 files changed, 22 insertions(+), 16 deletions(-)
diff --git a/sound/isa/cs423x/cs4231.c b/sound/isa/cs423x/cs4231.c index e8edd9017a2f..d90ab9558f7f 100644 --- a/sound/isa/cs423x/cs4231.c +++ b/sound/isa/cs423x/cs4231.c @@ -109,13 +109,17 @@ static int snd_cs4231_probe(struct device *dev, unsigned int n) if (error < 0) goto out;
- strcpy(card->driver, "CS4231"); - strcpy(card->shortname, chip->pcm->name); - - sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d", - chip->pcm->name, chip->port, irq[n], dma1[n]); - if (dma2[n] >= 0) - sprintf(card->longname + strlen(card->longname), "&%d", dma2[n]); + strlcpy(card->driver, "CS4231", sizeof(card->driver)); + strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname)); + + if (dma2[n] < 0) + snprintf(card->longname, sizeof(card->longname), + "%s at 0x%lx, irq %d, dma %d", + chip->pcm->name, chip->port, irq[n], dma1[n]); + else + snprintf(card->longname, sizeof(card->longname), + "%s at 0x%lx, irq %d, dma %d&%d", + chip->pcm->name, chip->port, irq[n], dma1[n], dma2[n]);
error = snd_wss_mixer(chip); if (error < 0) diff --git a/sound/isa/cs423x/cs4236.c b/sound/isa/cs423x/cs4236.c index 1f9a3b2be7a1..4c09756c7353 100644 --- a/sound/isa/cs423x/cs4236.c +++ b/sound/isa/cs423x/cs4236.c @@ -419,15 +419,17 @@ static int snd_cs423x_probe(struct snd_card *card, int dev) if (err < 0) return err; } - strcpy(card->driver, chip->pcm->name); - strcpy(card->shortname, chip->pcm->name); - sprintf(card->longname, "%s at 0x%lx, irq %i, dma %i", - chip->pcm->name, - chip->port, - irq[dev], - dma1[dev]); - if (dma2[dev] >= 0) - sprintf(card->longname + strlen(card->longname), "&%d", dma2[dev]); + strlcpy(card->driver, chip->pcm->name, sizeof(card->driver)); + strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname)); + if (dma2[dev] < 0) + snprintf(card->longname, sizeof(card->longname), + "%s at 0x%lx, irq %i, dma %i", + chip->pcm->name, chip->port, irq[dev], dma1[dev]); + else + snprintf(card->longname, sizeof(card->longname), + "%s at 0x%lx, irq %i, dma %i&%d", + chip->pcm->name, chip->port, irq[dev], dma1[dev], + dma2[dev]);
err = snd_wss_timer(chip, 0); if (err < 0)