[PATCH 2/4] ALSA: usb-audio: qcom: Use snprintf for mixer control name formatting
From: wangdich9700
Date: Wed Jun 03 2026 - 05:18:18 EST
From: wangdicheng <wangdicheng@xxxxxxxxxx>
The current code uses sprintf() to format control names without bounds
checking, which could lead to buffer overflow if PCM index is large.
Replace sprintf with snprintf to ensure buffer safety.
The ctl_name buffer is 48 bytes, and the formatted string could exceed
this with large PCM index values. Using snprintf with sizeof(ctl_name)
prevents potential buffer overflow.
Signed-off-by: wangdicheng <wangdicheng@xxxxxxxxxx>
---
sound/usb/qcom/mixer_usb_offload.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/usb/qcom/mixer_usb_offload.c b/sound/usb/qcom/mixer_usb_offload.c
index 2adeb64f4d33..48e55d5872d5 100644
--- a/sound/usb/qcom/mixer_usb_offload.c
+++ b/sound/usb/qcom/mixer_usb_offload.c
@@ -128,7 +128,7 @@ int snd_usb_offload_create_ctl(struct snd_usb_audio *chip, struct device *bedev)
*/
chip_kctl->private_value = as->pcm_index |
chip->card->number << 16;
- sprintf(ctl_name, "USB Offload Playback Card Route PCM#%d",
+ snprintf(ctl_name, sizeof(ctl_name), "USB Offload Playback Card Route PCM#%d",
as->pcm_index);
chip_kctl->name = ctl_name;
ret = snd_ctl_add(chip->card, snd_ctl_new1(chip_kctl, bedev));
@@ -143,7 +143,7 @@ int snd_usb_offload_create_ctl(struct snd_usb_audio *chip, struct device *bedev)
*/
chip_kctl->private_value = as->pcm_index |
chip->card->number << 16;
- sprintf(ctl_name, "USB Offload Playback PCM Route PCM#%d",
+ snprintf(ctl_name, sizeof(ctl_name), "USB Offload Playback PCM Route PCM#%d",
as->pcm_index);
chip_kctl->name = ctl_name;
ret = snd_ctl_add(chip->card, snd_ctl_new1(chip_kctl, bedev));
--
2.25.1