summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVasiliy Kulikov <segoon@openwall.com>2011-01-12 16:59:14 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2011-01-13 08:03:05 -0800
commit2260209c4973e3eeb1e48abaa9e639373a0d4fb7 (patch)
tree39b539b4f00d3321b25314eca417d70238366460
parent6db26ffc917b609402619e03df5af8d1cd371ce7 (diff)
downloadlinux-2260209c4973e3eeb1e48abaa9e639373a0d4fb7.tar.bz2
drivers/leds/leds-lp5521.c: fix potential buffer overflow
The code doesn't check first sscanf() return value. If first sscanf() failed then c contains some garbage. It might lead to reading uninitialised stack data in the second sscanf() call. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Cc: Richard Purdie <rpurdie@rpsys.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--drivers/leds/leds-lp5521.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c
index 33facd0c45d1..e881a75dc39d 100644
--- a/drivers/leds/leds-lp5521.c
+++ b/drivers/leds/leds-lp5521.c
@@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine,
while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) {
/* separate sscanfs because length is working only for %s */
ret = sscanf(buf + offset, "%2s%n ", c, &nrchars);
+ if (ret != 2)
+ goto fail;
ret = sscanf(c, "%2x", &cmd);
if (ret != 1)
goto fail;