[PATCH] kconfig: fix buffer overflow in conf_get_default_confname()

[Anton Moryakov]

Use snprintf() instead of sprintf() when building the full config path
to prevent potential buffer overflow.

The function previously used sprintf() to concatenate SRCTREE environment
variable with the expanded config name into a fixed-size buffer
fullname[PATH_MAX+1]. Since getenv() can return arbitrarily long strings,
this could lead to writing beyond the buffer boundary (CWE-120).

Changes:
- Replace sprintf() with snprintf() with proper size checking
- Add validation of snprintf() return value to detect truncation
- Emit conf_warning() if the resulting path exceeds PATH_MAX
- Return the unprefixed name as fallback on error, preserving behavior

This fixes the static analyzer warning:
  confdata.c:119: buffer overflow via getenv() tainted input

Reported-by: static analyzer Svace
Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
---
 scripts/kconfig/confdata.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/scripts/kconfig/confdata.c b/scripts/kconfig/confdata.c
index d587b10d7f8..756e613fa47 100644
--- a/scripts/kconfig/confdata.c
+++ b/scripts/kconfig/confdata.c
@@ -152,7 +152,11 @@ char *conf_get_default_confname(void)
 	name = expand_string(conf_defname);
 	env = getenv(SRCTREE);
 	if (env) {
-		sprintf(fullname, "%s/%s", env, name);
+		int ret = snprintf(fullname, sizeof(fullname), "%s/%s", env, name);
+		if (ret < 0 || ret >= (int)sizeof(fullname)) {
+			conf_warning("configuration path too long");
+			return name;
+		}
 		if (is_present(fullname))
 			return fullname;
 	}
-- 
2.39.2