[alsa-devel] [PATCH v2 3/7] ALSA: ad1848: fix format string overflow warning

Arnd Bergmann arnd at arndb.de
Tue Jul 18 13:48:06 CEST 2017


The snd_pcm name is too long to fit into the card shortname
or a part of the longname:

sound/isa/ad1848/ad1848.c: In function 'snd_ad1848_probe':
sound/isa/ad1848/ad1848.c:116:26: error: ' at 0x' directive writing 6 bytes into a region of size between 1 and 80 [-Werror=format-overflow=]
  sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d",
                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sound/isa/ad1848/ad1848.c:116:2: note: 'sprintf' output between 22 and 128 bytes into a destination of size 80
  sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d",
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   chip->pcm->name, chip->port, irq[n], dma1[n]);
   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This changes the code to use length-checking functions that truncate
if necessary. The "[Thinkpad]" substring is now also part of the
snprintf(), as that could also overflow the buffer.

Signed-off-by: Arnd Bergmann <arnd at arndb.de>
---
 sound/isa/ad1848/ad1848.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/sound/isa/ad1848/ad1848.c b/sound/isa/ad1848/ad1848.c
index e739b1c85c25..7c8e92f62f3b 100644
--- a/sound/isa/ad1848/ad1848.c
+++ b/sound/isa/ad1848/ad1848.c
@@ -110,13 +110,17 @@ static int snd_ad1848_probe(struct device *dev, unsigned int n)
 	if (error < 0)
 		goto out;
 
-	strcpy(card->driver, "AD1848");
-	strcpy(card->shortname, chip->pcm->name);
-
-	sprintf(card->longname, "%s at 0x%lx, irq %d, dma %d",
-		chip->pcm->name, chip->port, irq[n], dma1[n]);
-	if (thinkpad[n])
-		strcat(card->longname, " [Thinkpad]");
+	strlcpy(card->driver, "AD1848", sizeof(card->driver));
+	strlcpy(card->shortname, chip->pcm->name, sizeof(card->shortname));
+
+	if (!thinkpad[n])
+		snprintf(card->longname, sizeof(card->longname),
+			 "%s at 0x%lx, irq %d, dma %d",
+			 chip->pcm->name, chip->port, irq[n], dma1[n]);
+	else
+		snprintf(card->longname, sizeof(card->longname),
+			 "%s at 0x%lx, irq %d, dma %d [Thinkpad]",
+			 chip->pcm->name, chip->port, irq[n], dma1[n]);
 
 	error = snd_card_register(card);
 	if (error < 0)
-- 
2.9.0



More information about the Alsa-devel mailing list