On Fri, Feb 27, 2026 at 12:05:13AM +0300, Anton Moryakov wrote: > Use snprintf() instead of sprintf() when building the full config path > to prevent potential buffer overflow. > > The function previously used sprintf() to concatenate SRCTREE environment > variable with the expanded config name into a fixed-size buffer > fullname[PATH_MAX+1]. Since getenv() can return arbitrarily long strings, > this could lead to writing beyond the buffer boundary (CWE-120). > > Changes: > - Replace sprintf() with snprintf() with proper size checking > - Add validation of snprintf() return value to detect truncation > - Emit conf_warning() if the resulting path exceeds PATH_MAX > - Return the unprefixed name as fallback on error, preserving behavior > > This fixes the static analyzer warning: > confdata.c:119: buffer overflow via getenv() tainted input > > Reported-by: static analyzer Svace > Signed-off-by: Anton Moryakov <[email protected]> > --- > scripts/kconfig/confdata.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-)
In this case I think we would be better served by resyncing with the linux kernel which has: commit b6f7e9f7050b9f8e5fe60d86e05c0740295a54bf Author: Masahiro Yamada <[email protected]> Date: Mon May 27 23:37:22 2019 +0900 kconfig: require the argument of --defconfig And removes this particular code. -- Tom
signature.asc
Description: PGP signature
