aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/leds/leds-lp5521.c
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-01-12 19:59:14 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2011-01-13 11:03:05 -0500
commit2260209c4973e3eeb1e48abaa9e639373a0d4fb7 (patch)
tree39b539b4f00d3321b25314eca417d70238366460 /drivers/leds/leds-lp5521.c
parent6db26ffc917b609402619e03df5af8d1cd371ce7 (diff)
drivers/leds/leds-lp5521.c: fix potential buffer overflow
The code doesn't check first sscanf() return value. If first sscanf() failed then c contains some garbage. It might lead to reading uninitialised stack data in the second sscanf() call. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Cc: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/leds/leds-lp5521.c')
-rw-r--r--drivers/leds/leds-lp5521.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c
index 33facd0c45d1..e881a75dc39d 100644
--- a/drivers/leds/leds-lp5521.c
+++ b/drivers/leds/leds-lp5521.c
@@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine,
373 while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { 373 while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) {
374 /* separate sscanfs because length is working only for %s */ 374 /* separate sscanfs because length is working only for %s */
375 ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); 375 ret = sscanf(buf + offset, "%2s%n ", c, &nrchars);
376 if (ret != 2)
377 goto fail;
376 ret = sscanf(c, "%2x", &cmd); 378 ret = sscanf(c, "%2x", &cmd);
377 if (ret != 1) 379 if (ret != 1)
378 goto fail; 380 goto fail;