Replace unbounded sprintf() with snprintf() using sizeof(info) as
the bound when constructing the board_name string from bdname and
bdtype. The previous call had no size limit and could overflow the
64-byte stack buffer if the concatenated string exceeded 63 bytes.
Fixes: c9c36bf56e4c ("samsung: misc: use board specific functions to set env
board info")
Signed-off-by: Ngo Luong Thanh Tra <[email protected]>
To: [email protected]
---
board/samsung/common/misc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/board/samsung/common/misc.c b/board/samsung/common/misc.c
index c134a9d70e2..6718f607875 100644
--- a/board/samsung/common/misc.c
+++ b/board/samsung/common/misc.c
@@ -104,7 +104,7 @@ void set_board_info(void)
if (!bdtype)
bdtype = "";
- sprintf(info, "%s%s", bdname, bdtype);
+ snprintf(info, sizeof(info), "%s%s", bdname, bdtype);
env_set("board_name", info);
#endif
snprintf(info, ARRAY_SIZE(info), "%s%x-%s%s.dtb",
--
2.53.0
base-commit: c704af3c8b0f37929bce8c2a4bba27d6e89919c7
branch: fix/sys-cbsize-overflow-series
