thermal: core: prevent potential string overflow

[ Upstream commit c99626092efca3061b387043d4a7399bf75fbdd5 ]

The dev->id value comes from ida_alloc() so it's a number between zero
and INT_MAX.  If it's too high then these sprintf()s will overflow.

Fixes: 203d3d4aa482 ("the generic thermal sysfs driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c
index 58533ea..e6f3166 100644 (file)
--- a/drivers/thermal/thermal_core.c
+++ b/drivers/thermal/thermal_core.c
@@ -689,7 +689,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
        if (result)
                goto release_ida;
 
-       sprintf(dev->attr_name, "cdev%d_trip_point", dev->id);
+       snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point",
+                dev->id);
        sysfs_attr_init(&dev->attr.attr);
        dev->attr.attr.name = dev->attr_name;
        dev->attr.attr.mode = 0444;
@@ -698,7 +699,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz,
        if (result)
                goto remove_symbol_link;
 
-       sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id);
+       snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name),
+                "cdev%d_weight", dev->id);
        sysfs_attr_init(&dev->weight_attr.attr);
        dev->weight_attr.attr.name = dev->weight_attr_name;
        dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO;