dell_rbu: use scnprintf() instead of less secure sprintf()

Pavel Roskin · torvalds · commit 81156928f8fe · 2009-01-17T14:27:18.000-08:00
Reading 0 bytes from /sys/devices/platform/dell_rbu/image_type or
/sys/devices/platform/dell_rbu/packet_size by an ordinary user causes an
oops.

Signed-off-by: Pavel Roskin &lt;proski@gnu.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
diff --git a/drivers/firmware/dell_rbu.c b/drivers/firmware/dell_rbu.c
@@ -576,7 +576,7 @@ static ssize_t read_rbu_image_type(struct kobject *kobj,
 {
 	int size = 0;
 	if (!pos)
-		size = sprintf(buffer, "%s\n", image_type);
+		size = scnprintf(buffer, count, "%s\n", image_type);
 	return size;
 }
 
@@ -648,7 +648,7 @@ static ssize_t read_rbu_packet_size(struct kobject *kobj,
 	int size = 0;
 	if (!pos) {
 		spin_lock(&rbu_data.lock);
-		size = sprintf(buffer, "%lu\n", rbu_data.packetsize);
+		size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);
 		spin_unlock(&rbu_data.lock);
 	}
 	return size;

Original file line number	Diff line number	Diff line change
`@@ -576,7 +576,7 @@ static ssize_t read_rbu_image_type(struct kobject *kobj,`
`576`	`576`	`{`
`577`	`577`	`int size = 0;`
`578`	`578`	`if (!pos)`
`579`		`- size = sprintf(buffer, "%s\n", image_type);`
	`579`	`+ size = scnprintf(buffer, count, "%s\n", image_type);`
`580`	`580`	`return size;`
`581`	`581`	`}`
`582`	`582`
`@@ -648,7 +648,7 @@ static ssize_t read_rbu_packet_size(struct kobject *kobj,`
`648`	`648`	`int size = 0;`
`649`	`649`	`if (!pos) {`
`650`	`650`	`spin_lock(&rbu_data.lock);`
`651`		`- size = sprintf(buffer, "%lu\n", rbu_data.packetsize);`
	`651`	`+ size = scnprintf(buffer, count, "%lu\n", rbu_data.packetsize);`
`652`	`652`	`spin_unlock(&rbu_data.lock);`
`653`	`653`	`}`
`654`	`654`	`return size;`