diff options
| author | Vasiliy Kulikov <segoon@openwall.com> | 2011-01-12 19:59:14 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-13 11:03:05 -0500 |
| commit | 2260209c4973e3eeb1e48abaa9e639373a0d4fb7 (patch) | |
| tree | 39b539b4f00d3321b25314eca417d70238366460 /drivers/leds | |
| parent | 6db26ffc917b609402619e03df5af8d1cd371ce7 (diff) | |
drivers/leds/leds-lp5521.c: fix potential buffer overflow
The code doesn't check first sscanf() return value. If first sscanf()
failed then c contains some garbage. It might lead to reading
uninitialised stack data in the second sscanf() call.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/leds')
| -rw-r--r-- | drivers/leds/leds-lp5521.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c index 33facd0c45d1..e881a75dc39d 100644 --- a/drivers/leds/leds-lp5521.c +++ b/drivers/leds/leds-lp5521.c | |||
| @@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine, | |||
| 373 | while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { | 373 | while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { |
| 374 | /* separate sscanfs because length is working only for %s */ | 374 | /* separate sscanfs because length is working only for %s */ |
| 375 | ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); | 375 | ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); |
| 376 | if (ret != 2) | ||
| 377 | goto fail; | ||
| 376 | ret = sscanf(c, "%2x", &cmd); | 378 | ret = sscanf(c, "%2x", &cmd); |
| 377 | if (ret != 1) | 379 | if (ret != 1) |
| 378 | goto fail; | 380 | goto fail; |