From deac4ca7232b47457b15aaa7abfbd84d9b690b96 Mon Sep 17 00:00:00 2001 From: Alexander Winkowski Date: Sun, 19 Nov 2023 12:37:24 +0000 Subject: [PATCH] thermal_debugfs: Avoid sscanf buffer overflow Only 19 characters out of total 20 can be used due to the '\0' terminator. Change-Id: I34883be26f97a16fdcb5ff97ff326d98f4d93c18 Signed-off-by: Alexander Winkowski --- drivers/thermal/thermal_debugfs.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/thermal/thermal_debugfs.c b/drivers/thermal/thermal_debugfs.c index de5123774c2e..d8698ef7f64a 100644 --- a/drivers/thermal/thermal_debugfs.c +++ b/drivers/thermal/thermal_debugfs.c @@ -27,7 +27,7 @@ static int fetch_cdev(struct thermal_zone_device *tz, char *dev_token, bool match_found = false; dev_token = strim(dev_token); - if (sscanf(dev_token, "%20[^ +\n\t]", cdev_name) != 1) + if (sscanf(dev_token, "%19[^ +\n\t]", cdev_name) != 1) return -EINVAL; list_for_each_entry(instance, &tz->thermal_instances, tz_node) { if (!instance->cdev || instance->trip != trip) @@ -41,14 +41,14 @@ static int fetch_cdev(struct thermal_zone_device *tz, char *dev_token, if (!match_found) return -ENODEV; if (upper_lim_token) { - if (sscanf(upper_lim_token, "%20[^ +\n\t]", limit_str) != 1) + if (sscanf(upper_lim_token, "%19[^ +\n\t]", limit_str) != 1) return -EINVAL; if (kstrtoul(limit_str, 0, &upper_limit)) return -EINVAL; instance->upper = upper_limit; } if (lower_lim_token) { - if (sscanf(lower_lim_token, "%20[^ +\n\t]", limit_str) != 1) + if (sscanf(lower_lim_token, "%19[^ +\n\t]", limit_str) != 1) return -EINVAL; if (kstrtoul(limit_str, 0, &lower_limit)) return -EINVAL; @@ -341,7 +341,7 @@ static ssize_t thermal_dbgfs_config_write(struct file *file, } sensor_buf = strnstr(buf, "sensor", count); if (sensor_buf) { - if (sscanf(sensor_buf, "sensor %20[^\n\t ]", + if (sscanf(sensor_buf, "sensor %19[^\n\t ]", sensor_name) != 1) { pr_err("sensor name not found\n"); ret = -EINVAL;