| From 81156928f8fe31621e467490b9d441c0285998c3 Mon Sep 17 00:00:00 2001 |
| From: Pavel Roskin <proski@gnu.org> |
| Date: Sat, 17 Jan 2009 13:33:03 -0500 |
| Subject: dell_rbu: use scnprintf() instead of less secure sprintf() |
| |
| From: Pavel Roskin <proski@gnu.org> |
| |
| commit 81156928f8fe31621e467490b9d441c0285998c3 upstream. |
| |
| Reading 0 bytes from /sys/devices/platform/dell_rbu/image_type or |
| /sys/devices/platform/dell_rbu/packet_size by an ordinary user causes an |
| oops. |
| |
| Signed-off-by: Pavel Roskin <proski@gnu.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| drivers/firmware/dell_rbu.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/firmware/dell_rbu.c |
| +++ b/drivers/firmware/dell_rbu.c |
| @@ -576,7 +576,7 @@ static ssize_t read_rbu_image_type(struc |
| { |
| int size = 0; |
| if (!pos) |
| - size = sprintf(buffer, "%s\n", image_type); |
| + size = scnprintf(buffer, count, "%s\n", image_type); |
| return size; |
| } |
| |
| @@ -648,7 +648,7 @@ static ssize_t read_rbu_packet_size(stru |
| int size = 0; |
| if (!pos) { |
| spin_lock(&rbu_data.lock); |
| - size = sprintf(buffer, "%lu\n", rbu_data.packetsize); |
| + size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize); |
| spin_unlock(&rbu_data.lock); |
| } |
| return size; |
