diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2012-03-15 07:37:32 -0400 |
|---|---|---|
| committer | Anton Vorontsov <anton.vorontsov@linaro.org> | 2012-05-04 22:24:48 -0400 |
| commit | 1ef3d8fb4deb77ee020b246d217dd4dfb28d88d5 (patch) | |
| tree | 13613ae086b2270373532db8490e011c7a0eb259 /drivers/power/max17042_battery.c | |
| parent | 69964ea4c7b68c9399f7977aa5b9aa6539a6a98a (diff) | |
max17042_battery: Fix a couple buffer overflows
There are a couple issues here caused by confusion between sizeof()
and ARRAY_SIZE(). "table_size" should be the number of elements, but we
should allocate it with kcalloc() so that we allocate the correct number
of bytes.
In max17042_init_model() we don't allocate enough space so we go past
the end of the array in max17042_read_model_data() and
max17042_model_data_compare().
In max17042_verify_model_lock() we allocate the right amount of space
but we call max17042_read_model_data() with the wrong number of elements
and also in the for loop we go past the end of the array.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Dirk Brandewie <dirk.brandewie@gmail.com>
Signed-off-by: Anton Vorontsov <anton.vorontsov@linaro.org>
Diffstat (limited to 'drivers/power/max17042_battery.c')
| -rw-r--r-- | drivers/power/max17042_battery.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/drivers/power/max17042_battery.c b/drivers/power/max17042_battery.c index 04620c2cb388..39dd610994ac 100644 --- a/drivers/power/max17042_battery.c +++ b/drivers/power/max17042_battery.c | |||
| @@ -325,11 +325,10 @@ static inline int max17042_model_data_compare(struct max17042_chip *chip, | |||
| 325 | static int max17042_init_model(struct max17042_chip *chip) | 325 | static int max17042_init_model(struct max17042_chip *chip) |
| 326 | { | 326 | { |
| 327 | int ret; | 327 | int ret; |
| 328 | int table_size = | 328 | int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); |
| 329 | sizeof(chip->pdata->config_data->cell_char_tbl)/sizeof(u16); | ||
| 330 | u16 *temp_data; | 329 | u16 *temp_data; |
| 331 | 330 | ||
| 332 | temp_data = kzalloc(table_size, GFP_KERNEL); | 331 | temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); |
| 333 | if (!temp_data) | 332 | if (!temp_data) |
| 334 | return -ENOMEM; | 333 | return -ENOMEM; |
| 335 | 334 | ||
| @@ -354,12 +353,11 @@ static int max17042_init_model(struct max17042_chip *chip) | |||
| 354 | static int max17042_verify_model_lock(struct max17042_chip *chip) | 353 | static int max17042_verify_model_lock(struct max17042_chip *chip) |
| 355 | { | 354 | { |
| 356 | int i; | 355 | int i; |
| 357 | int table_size = | 356 | int table_size = ARRAY_SIZE(chip->pdata->config_data->cell_char_tbl); |
| 358 | sizeof(chip->pdata->config_data->cell_char_tbl); | ||
| 359 | u16 *temp_data; | 357 | u16 *temp_data; |
| 360 | int ret = 0; | 358 | int ret = 0; |
| 361 | 359 | ||
| 362 | temp_data = kzalloc(table_size, GFP_KERNEL); | 360 | temp_data = kcalloc(table_size, sizeof(*temp_data), GFP_KERNEL); |
| 363 | if (!temp_data) | 361 | if (!temp_data) |
| 364 | return -ENOMEM; | 362 | return -ENOMEM; |
| 365 | 363 | ||