From 2260209c4973e3eeb1e48abaa9e639373a0d4fb7 Mon Sep 17 00:00:00 2001 From: Vasiliy Kulikov Date: Wed, 12 Jan 2011 16:59:14 -0800 Subject: drivers/leds/leds-lp5521.c: fix potential buffer overflow The code doesn't check first sscanf() return value. If first sscanf() failed then c contains some garbage. It might lead to reading uninitialised stack data in the second sscanf() call. Signed-off-by: Vasiliy Kulikov Cc: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- drivers/leds/leds-lp5521.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/leds/leds-lp5521.c b/drivers/leds/leds-lp5521.c index 33facd0c45d..e881a75dc39 100644 --- a/drivers/leds/leds-lp5521.c +++ b/drivers/leds/leds-lp5521.c @@ -373,6 +373,8 @@ static int lp5521_do_store_load(struct lp5521_engine *engine, while ((offset < len - 1) && (i < LP5521_PROGRAM_LENGTH)) { /* separate sscanfs because length is working only for %s */ ret = sscanf(buf + offset, "%2s%n ", c, &nrchars); + if (ret != 2) + goto fail; ret = sscanf(c, "%2x", &cmd); if (ret != 1) goto fail; -- cgit v1.2.3-70-g09d2