Use snprintf() instead of sprintf() when building the full config path to prevent potential buffer overflow.
The function previously used sprintf() to concatenate SRCTREE environment variable with the expanded config name into a fixed-size buffer fullname[PATH_MAX+1]. Since getenv() can return arbitrarily long strings, this could lead to writing beyond the buffer boundary (CWE-120). Changes: - Replace sprintf() with snprintf() with proper size checking - Add validation of snprintf() return value to detect truncation - Emit conf_warning() if the resulting path exceeds PATH_MAX - Return the unprefixed name as fallback on error, preserving behavior This fixes the static analyzer warning: confdata.c:119: buffer overflow via getenv() tainted input Reported-by: static analyzer Svace Signed-off-by: Anton Moryakov <[email protected]> --- scripts/kconfig/confdata.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c index d587b10d7f8..756e613fa47 100644 --- a/scripts/kconfig/confdata.c +++ b/scripts/kconfig/confdata.c @@ -152,7 +152,11 @@ char *conf_get_default_confname(void) name = expand_string(conf_defname); env = getenv(SRCTREE); if (env) { - sprintf(fullname, "%s/%s", env, name); + int ret = snprintf(fullname, sizeof(fullname), "%s/%s", env, name); + if (ret < 0 || ret >= (int)sizeof(fullname)) { + conf_warning("configuration path too long"); + return name; + } if (is_present(fullname)) return fullname; } -- 2.39.2
