From 13071f0a58f285eee81f63c917078bb2a48cf51e Mon Sep 17 00:00:00 2001 From: Alexey Dobriyan Date: Sun, 14 Jan 2007 15:29:42 -0300 Subject: V4L/DVB (5076): Cpia.c: buffer overflow If assigned minor is 10 or greater, terminator will be put beyound the end. Signed-off-by: Alexey Dobriyan Signed-off-by: Mauro Carvalho Chehab --- drivers/media/video/cpia.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/media/video/cpia.c b/drivers/media/video/cpia.c index 735a52a9041a..78c9699eafbb 100644 --- a/drivers/media/video/cpia.c +++ b/drivers/media/video/cpia.c @@ -1350,13 +1350,13 @@ out: static void create_proc_cpia_cam(struct cam_data *cam) { - char name[7]; + char name[5 + 1 + 10 + 1]; struct proc_dir_entry *ent; if (!cpia_proc_root || !cam) return; - sprintf(name, "video%d", cam->vdev.minor); + snprintf(name, sizeof(name), "video%d", cam->vdev.minor); ent = create_proc_entry(name, S_IFREG|S_IRUGO|S_IWUSR, cpia_proc_root); if (!ent) @@ -1376,12 +1376,12 @@ static void create_proc_cpia_cam(struct cam_data *cam) static void destroy_proc_cpia_cam(struct cam_data *cam) { - char name[7]; + char name[5 + 1 + 10 + 1]; if (!cam || !cam->proc_entry) return; - sprintf(name, "video%d", cam->vdev.minor); + snprintf(name, sizeof(name), "video%d", cam->vdev.minor); remove_proc_entry(name, cpia_proc_root); cam->proc_entry = NULL; } -- cgit v1.2.2