From 07563e8ff892b065c5cf308dbe2e06015b330391 Mon Sep 17 00:00:00 2001 From: Jean Delvare Date: Thu, 2 Nov 2017 16:17:50 +0100 Subject: [PATCH] i2c-tools: i2cbusses: Avoid buffer overflows in sysfs paths sprintf isn't safe, use snprintf instead. --- CHANGES | 1 + tools/i2cbusses.c | 10 +++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGES b/CHANGES index 59cbdd2..10f52ac 100644 --- a/CHANGES +++ b/CHANGES @@ -2,6 +2,7 @@ i2c-tools CHANGES ----------------- 3.1.3 (work in progress) + tools: Fix potential buffer overflows in i2cbusses eeprog: Increase delay after writes decode-dimms: Correctly check for out-of-bounds vendor ID README: Mention the current maintainer diff --git a/tools/i2cbusses.c b/tools/i2cbusses.c index eaca884..c0dbfb3 100644 --- a/tools/i2cbusses.c +++ b/tools/i2cbusses.c @@ -219,18 +219,18 @@ struct i2c_adap *gather_i2c_busses(void) /* this should work for kernels 2.6.5 or higher and */ /* is preferred because is unambiguous */ - sprintf(n, "%s/%s/name", sysfs, de->d_name); + snprintf(n, NAME_MAX, "%s/%s/name", sysfs, de->d_name); f = fopen(n, "r"); /* this seems to work for ISA */ if(f == NULL) { - sprintf(n, "%s/%s/device/name", sysfs, de->d_name); + snprintf(n, NAME_MAX, "%s/%s/device/name", sysfs, de->d_name); f = fopen(n, "r"); } /* non-ISA is much harder */ /* and this won't find the correct bus name if a driver has more than one bus */ if(f == NULL) { - sprintf(n, "%s/%s/device", sysfs, de->d_name); + snprintf(n, NAME_MAX, "%s/%s/device", sysfs, de->d_name); if(!(ddir = opendir(n))) continue; while ((dde = readdir(ddir)) != NULL) { @@ -239,8 +239,8 @@ struct i2c_adap *gather_i2c_busses(void) if (!strcmp(dde->d_name, "..")) continue; if ((!strncmp(dde->d_name, "i2c-", 4))) { - sprintf(n, "%s/%s/device/%s/name", - sysfs, de->d_name, dde->d_name); + snprintf(n, NAME_MAX, "%s/%s/device/%s/name", + sysfs, de->d_name, dde->d_name); if((f = fopen(n, "r"))) goto found; }