From d9ec086beb297c17ac599af8d6189e6c1c6b1a0c Mon Sep 17 00:00:00 2001
From: Romuald Conty <romuald@libnfc.org>
Date: Wed, 21 Apr 2010 10:23:11 +0000
Subject: [PATCH] Replace some sprintf with snprintf to prevent from
 buffer-overflow.

---
 libnfc/drivers/pn532_uart.c | 3 +--
 libnfc/nfc.c                | 6 +++---
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/libnfc/drivers/pn532_uart.c b/libnfc/drivers/pn532_uart.c
index a3b2207..6c584d3 100644
--- a/libnfc/drivers/pn532_uart.c
+++ b/libnfc/drivers/pn532_uart.c
@@ -133,8 +133,7 @@ pn532_uart_list_devices(nfc_device_desc_t pnddDevices[], size_t szDevices, size_
       snprintf(pnddDevices[*pszDeviceFound].acDevice, DEVICE_NAME_LENGTH - 1, "%s (%s)", "PN532", acConnect);
       pnddDevices[*pszDeviceFound].acDevice[DEVICE_NAME_LENGTH - 1] = '\0';
       pnddDevices[*pszDeviceFound].pcDriver = PN532_UART_DRIVER_NAME;
-      //pnddDevices[*pszDeviceFound].pcPort = strndup(acConnect, BUFFER_LENGTH - 1);
-      pnddDevices[*pszDeviceFound].pcPort = strdup(acConnect);
+      pnddDevices[*pszDeviceFound].pcPort = strndup(acConnect, BUFFER_LENGTH - 1);
       pnddDevices[*pszDeviceFound].pcPort[BUFFER_LENGTH] = '\0';
       pnddDevices[*pszDeviceFound].uiSpeed = SERIAL_DEFAULT_PORT_SPEED;
       DBG("Device found: %s.", pnddDevices[*pszDeviceFound].acDevice);
diff --git a/libnfc/nfc.c b/libnfc/nfc.c
index ec351df..96c62c4 100644
--- a/libnfc/nfc.c
+++ b/libnfc/nfc.c
@@ -195,9 +195,9 @@ nfc_device_t* nfc_connect(nfc_device_desc_t* pndd)
       // Add the firmware revision to the device name, PN531 gives 2 bytes info, but PN532 gives 4
       switch(pnd->nc)
       {
-        case NC_PN531: sprintf(pnd->acName,"%s - PN531 v%d.%d",pnd->acName,abtFw[0],abtFw[1]); break;
-        case NC_PN532: sprintf(pnd->acName,"%s - PN532 v%d.%d (0x%02x)",pnd->acName,abtFw[1],abtFw[2],abtFw[3]); break;
-        case NC_PN533: sprintf(pnd->acName,"%s - PN533 v%d.%d (0x%02x)",pnd->acName,abtFw[1],abtFw[2],abtFw[3]); break;
+        case NC_PN531: snprintf(pnd->acName,DEVICE_NAME_LENGTH - 1,"%s - PN531 v%d.%d",pnd->acName,abtFw[0],abtFw[1]); break;
+        case NC_PN532: snprintf(pnd->acName,DEVICE_NAME_LENGTH - 1,"%s - PN532 v%d.%d (0x%02x)",pnd->acName,abtFw[1],abtFw[2],abtFw[3]); break;
+        case NC_PN533: snprintf(pnd->acName,DEVICE_NAME_LENGTH - 1,"%s - PN533 v%d.%d (0x%02x)",pnd->acName,abtFw[1],abtFw[2],abtFw[3]); break;
       }
 
       // Reset the ending transmission bits register, it is unknown what the last tranmission used there