| Message ID | 20190927145737.7832-1-steve@sk2.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | clk/ti/adpll: allocate room for terminating null | expand |
* Stephen Kitt <steve@sk2.org> [190927 15:13]: > The buffer allocated in ti_adpll_clk_get_name doesn't account for the > terminating null. This patch adds the extra byte, and switches to > snprintf to avoid overflowing. > > Signed-off-by: Stephen Kitt <steve@sk2.org> > --- > drivers/clk/ti/adpll.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c > index fdfb90058504..27933c4e8a27 100644 > --- a/drivers/clk/ti/adpll.c > +++ b/drivers/clk/ti/adpll.c > @@ -196,12 +196,13 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d, > } else { > const char *base_name = "adpll"; > char *buf; > + size_t size = 8 + 1 + strlen(base_name) + 1 + > + strlen(postfix) + 1; > > - buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 + > - strlen(postfix), GFP_KERNEL); > + buf = devm_kzalloc(d->dev, size, GFP_KERNEL); > if (!buf) > return NULL; > - sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix); > + snprintf(buf, size, "%08lx.%s.%s", d->pa, base_name, postfix); > name = buf; > } > Thanks for catching this. Maybe just use devm_kasprintf() here? Regards, Tony
Le 27/09/2019 17:23, Tony Lindgren a écrit : > * Stephen Kitt <steve@sk2.org> [190927 15:13]: >> The buffer allocated in ti_adpll_clk_get_name doesn't account for the >> terminating null. This patch adds the extra byte, and switches to >> snprintf to avoid overflowing. >> >> Signed-off-by: Stephen Kitt <steve@sk2.org> >> --- >> drivers/clk/ti/adpll.c | 7 ++++--- >> 1 file changed, 4 insertions(+), 3 deletions(-) >> >> diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c >> index fdfb90058504..27933c4e8a27 100644 >> --- a/drivers/clk/ti/adpll.c >> +++ b/drivers/clk/ti/adpll.c >> @@ -196,12 +196,13 @@ static const char *ti_adpll_clk_get_name(struct >> ti_adpll_data *d, >> } else { >> const char *base_name = "adpll"; >> char *buf; >> + size_t size = 8 + 1 + strlen(base_name) + 1 + >> + strlen(postfix) + 1; >> >> - buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 + >> - strlen(postfix), GFP_KERNEL); >> + buf = devm_kzalloc(d->dev, size, GFP_KERNEL); >> if (!buf) >> return NULL; >> - sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix); >> + snprintf(buf, size, "%08lx.%s.%s", d->pa, base_name, postfix); >> name = buf; >> } >> > > Thanks for catching this. Maybe just use devm_kasprintf() here? Ah yes, that would be much better! V2 coming up, thanks for the suggestion. Regards, Stephen
diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c index fdfb90058504..27933c4e8a27 100644 --- a/drivers/clk/ti/adpll.c +++ b/drivers/clk/ti/adpll.c @@ -196,12 +196,13 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d, } else { const char *base_name = "adpll"; char *buf; + size_t size = 8 + 1 + strlen(base_name) + 1 + + strlen(postfix) + 1; - buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 + - strlen(postfix), GFP_KERNEL); + buf = devm_kzalloc(d->dev, size, GFP_KERNEL); if (!buf) return NULL; - sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix); + snprintf(buf, size, "%08lx.%s.%s", d->pa, base_name, postfix); name = buf; }
The buffer allocated in ti_adpll_clk_get_name doesn't account for the terminating null. This patch adds the extra byte, and switches to snprintf to avoid overflowing. Signed-off-by: Stephen Kitt <steve@sk2.org> --- drivers/clk/ti/adpll.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)