From: Ngo Luong Thanh Tra <ngotra27101996@gmail.com>
Date: Sat, 28 Mar 2026 06:01:31 +0000 (+0700)
Subject: board: samsung: fix set_board_info() board_name buffer overflow
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e228b6a50418e261ee09fa326464935acdabe610;p=thirdparty%2Fu-boot.git

board: samsung: fix set_board_info() board_name buffer overflow

Replace unbounded sprintf() with snprintf() using sizeof(info) as
the bound when constructing the board_name string from bdname and
bdtype. The previous call had no size limit and could overflow the
64-byte stack buffer if the concatenated string exceeded 63 bytes.

Fixes: c9c36bf56e4c ("samsung: misc: use board specific functions to set env board info")
Signed-off-by: Ngo Luong Thanh Tra <S4210155@student.rmit.edu.au>
To: u-boot@lists.denx.de
---

diff --git a/board/samsung/common/misc.c b/board/samsung/common/misc.c
index 85e564f27ee..a6ba41d2805 100644
--- a/board/samsung/common/misc.c
+++ b/board/samsung/common/misc.c
@@ -101,7 +101,7 @@ void set_board_info(void)
 	if (!bdtype)
 		bdtype = "";
 
-	sprintf(info, "%s%s", bdname, bdtype);
+	snprintf(info, sizeof(info), "%s%s", bdname, bdtype);
 	env_set("board_name", info);
 #endif
 	snprintf(info, ARRAY_SIZE(info),  "%s%x-%s%s.dtb",