diff options
| author | Xi Wang <xi.wang@gmail.com> | 2011-12-28 23:49:06 -0500 |
|---|---|---|
| committer | Matthew Garrett <mjg@redhat.com> | 2012-03-12 10:25:51 -0400 |
| commit | e424fb8cc4e6634c10f8159b1ff5618cf7bab9c6 (patch) | |
| tree | 1907ba5a04c791b676de548e62627aa50b795bc7 /drivers/platform/x86/panasonic-laptop.c | |
| parent | 461e74377cfcfc2c0d6bbdfa8fc5fbc21b052c2a (diff) | |
panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL
on error. Then it could bypass the sanity check (num_sifr > 255).
The subsequent call to kzalloc() would allocate a small buffer, leading
to a memory corruption.
Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Diffstat (limited to 'drivers/platform/x86/panasonic-laptop.c')
| -rw-r--r-- | drivers/platform/x86/panasonic-laptop.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c index 05be30ee158b..ffff8b4b4949 100644 --- a/drivers/platform/x86/panasonic-laptop.c +++ b/drivers/platform/x86/panasonic-laptop.c | |||
| @@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device) | |||
| 562 | 562 | ||
| 563 | num_sifr = acpi_pcc_get_sqty(device); | 563 | num_sifr = acpi_pcc_get_sqty(device); |
| 564 | 564 | ||
| 565 | if (num_sifr > 255) { | 565 | if (num_sifr < 0 || num_sifr > 255) { |
| 566 | ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large")); | 566 | ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range")); |
| 567 | return -ENODEV; | 567 | return -ENODEV; |
| 568 | } | 568 | } |
| 569 | 569 | ||