From: OrbisAI Security Date: Fri, 15 May 2026 01:25:24 +0000 (+0530) Subject: ixp4xx-microcode: use snprintf in IxNpeMicrocode.h X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F23172%2Fhead;p=thirdparty%2Fopenwrt.git ixp4xx-microcode: use snprintf in IxNpeMicrocode.h Replace sprintf() calls with snprintf() to bound writes into the fixed-size filename[] and slnk[] stack buffers. While the current inputs are hash-pinned firmware images, snprintf provides defense in depth against buffer overflows if the format string output ever exceeds buffer capacity. Signed-off-by: OrbisAI Security Link: https://github.com/openwrt/openwrt/pull/23172 Signed-off-by: Jonas Jelonek --- diff --git a/package/firmware/ixp4xx-microcode/src/IxNpeMicrocode.h b/package/firmware/ixp4xx-microcode/src/IxNpeMicrocode.h index 4a843db104f..16377e1e6d1 100644 --- a/package/firmware/ixp4xx-microcode/src/IxNpeMicrocode.h +++ b/package/firmware/ixp4xx-microcode/src/IxNpeMicrocode.h @@ -116,12 +116,14 @@ int main(int argc, char *argv[]) *(unsigned*)field = to_be32(image->id); char filename[40], slnk[10]; - sprintf(filename, "NPE-%c.%08x", (field[0] & 0xf) + 'A', - image->id); + snprintf(filename, sizeof(filename), "NPE-%c.%08x", + (field[0] & 0xf) + 'A', image->id); if (image->id == 0x00090000) - sprintf(slnk, "NPE-%c-HSS", (field[0] & 0xf) + 'A'); + snprintf(slnk, sizeof(slnk), "NPE-%c-HSS", + (field[0] & 0xf) + 'A'); else - sprintf(slnk, "NPE-%c", (field[0] & 0xf) + 'A'); + snprintf(slnk, sizeof(slnk), "NPE-%c", + (field[0] & 0xf) + 'A'); printf("Writing image: %s.NPE_%c Func: %2x Rev: %02x.%02x " "Size: %5d to: '%s'\n",