board: samsung: fix set_board_info() board_name buffer overflow

Replace unbounded sprintf() with snprintf() using sizeof(info) as
the bound when constructing the board_name string from bdname and
bdtype. The previous call had no size limit and could overflow the
64-byte stack buffer if the concatenated string exceeded 63 bytes.

Fixes: c9c36bf56e4c ("samsung: misc: use board specific functions to set env board info")
Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>
To: u-boot@lists.denx.de

diff --git a/board/samsung/common/misc.c b/board/samsung/common/misc.c
index 85e564f27ee5c79a0e4d2a36fe2069c2cb06f258..a6ba41d2805e5d9e808e5f82a1839df06589bc6a 100644 (file)
--- a/board/samsung/common/misc.c
+++ b/board/samsung/common/misc.c
@@ -101,7 +101,7 @@ void set_board_info(void)
        if (!bdtype)
                bdtype = "";
 
-       sprintf(info, "%s%s", bdname, bdtype);
+       snprintf(info, sizeof(info), "%s%s", bdname, bdtype);
        env_set("board_name", info);
 #endif
        snprintf(info, ARRAY_SIZE(info),  "%s%x-%s%s.dtb",