diff options
author | Vasiliy Kulikov <segoon@openwall.com> | 2011-01-12 16:59:14 -0800 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-01-13 08:03:05 -0800 |
commit | 2260209c4973e3eeb1e48abaa9e639373a0d4fb7 (patch) | |
tree | 39b539b4f00d3321b25314eca417d70238366460 /drivers/leds | |
parent | 6db26ffc917b609402619e03df5af8d1cd371ce7 (diff) |
drivers/leds/leds-lp5521.c: fix potential buffer overflow
The code doesn't check first sscanf() return value. If first sscanf()
failed then c contains some garbage. It might lead to reading
uninitialised stack data in the second sscanf() call.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/leds')
-rw-r--r-- | drivers/leds/leds-lp5521.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c index 33facd0c45d..e881a75dc39 100644 --- a/drivers/leds/leds-lp5521.c +++ b/drivers/leds/leds-lp5521.c @@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine, while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { /* separate sscanfs because length is working only for %s */ ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); + if (ret != 2) + goto fail; ret = sscanf(c, "%2x", &cmd); if (ret != 1) goto fail; |