aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/platform
diff options
context:
space:
mode:
authorXi Wang <xi.wang@gmail.com>2011-12-28 23:49:06 -0500
committerMatthew Garrett <mjg@redhat.com>2012-03-12 10:25:51 -0400
commite424fb8cc4e6634c10f8159b1ff5618cf7bab9c6 (patch)
tree1907ba5a04c791b676de548e62627aa50b795bc7 /drivers/platform
parent461e74377cfcfc2c0d6bbdfa8fc5fbc21b052c2a (diff)
panasonic-laptop: avoid overflow in acpi_pcc_hotkey_add()
num_sifr could go negative since acpi_pcc_get_sqty() returns -EINVAL on error. Then it could bypass the sanity check (num_sifr > 255). The subsequent call to kzalloc() would allocate a small buffer, leading to a memory corruption. Signed-off-by: Xi Wang <xi.wang@gmail.com> Signed-off-by: Matthew Garrett <mjg@redhat.com>
Diffstat (limited to 'drivers/platform')
-rw-r--r--drivers/platform/x86/panasonic-laptop.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/platform/x86/panasonic-laptop.c b/drivers/platform/x86/panasonic-laptop.c
index 05be30ee158b..ffff8b4b4949 100644
--- a/drivers/platform/x86/panasonic-laptop.c
+++ b/drivers/platform/x86/panasonic-laptop.c
@@ -562,8 +562,8 @@ static int acpi_pcc_hotkey_add(struct acpi_device *device)
562 562
563 num_sifr = acpi_pcc_get_sqty(device); 563 num_sifr = acpi_pcc_get_sqty(device);
564 564
565 if (num_sifr > 255) { 565 if (num_sifr < 0 || num_sifr > 255) {
566 ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr too large")); 566 ACPI_DEBUG_PRINT((ACPI_DB_ERROR, "num_sifr out of range"));
567 return -ENODEV; 567 return -ENODEV;
568 } 568 }
569 569