[PATCH 3/5] Fix memory corruption bug in dev_id()

Sascha Hauer s.hauer at pengutronix.de
Thu Jul 28 03:58:18 EDT 2011


The size of the static buffer in dev_id was only 8 bytes
(sizeof(long) * 2). This is completely bogus, so give
the buffer a sane length and also make sure we don't
write beyond the buffer using snprintf.

Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
---
 drivers/base/driver.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/base/driver.c b/drivers/base/driver.c
index b5166c8..bb6df3c 100644
--- a/drivers/base/driver.c
+++ b/drivers/base/driver.c
@@ -284,9 +284,9 @@ EXPORT_SYMBOL(dummy_probe);
 
 const char *dev_id(const struct device_d *dev)
 {
-	static char buf[sizeof(unsigned long) * 2];
+	static char buf[MAX_DRIVER_NAME + 16];
 
-	sprintf(buf, FORMAT_DRIVER_MANE_ID, dev->name, dev->id);
+	snprintf(buf, sizeof(buf), FORMAT_DRIVER_MANE_ID, dev->name, dev->id);
 
 	return buf;
 }
-- 
1.7.5.4




More information about the barebox mailing list