diff options
author | Vasiliy Kulikov <segoon@openwall.com> | 2011-01-12 19:59:14 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-13 11:03:05 -0500 |
commit | 2260209c4973e3eeb1e48abaa9e639373a0d4fb7 (patch) | |
tree | 39b539b4f00d3321b25314eca417d70238366460 /drivers/leds/leds-lp5521.c | |
parent | 6db26ffc917b609402619e03df5af8d1cd371ce7 (diff) |
drivers/leds/leds-lp5521.c: fix potential buffer overflow
The code doesn't check first sscanf() return value. If first sscanf()
failed then c contains some garbage. It might lead to reading
uninitialised stack data in the second sscanf() call.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/leds/leds-lp5521.c')
-rw-r--r-- | drivers/leds/leds-lp5521.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c index 33facd0c45d1..e881a75dc39d 100644 --- a/drivers/leds/leds-lp5521.c +++ b/drivers/leds/leds-lp5521.c | |||
@@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine, | |||
373 | while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { | 373 | while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { |
374 | /* separate sscanfs because length is working only for %s */ | 374 | /* separate sscanfs because length is working only for %s */ |
375 | ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); | 375 | ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); |
376 | if (ret != 2) | ||
377 | goto fail; | ||
376 | ret = sscanf(c, "%2x", &cmd); | 378 | ret = sscanf(c, "%2x", &cmd); |
377 | if (ret != 1) | 379 | if (ret != 1) |
378 | goto fail; | 380 | goto fail; |