PARISC: led.c - fix potential stack overflow in led_proc_write()

avoid potential stack overflow by correctly checking count parameter

Reported-by: Ilja <ilja@netric.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Acked-by: Kyle McMartin <kyle@mcmartin.ca>
Cc: James E.J. Bottomley <jejb@parisc-linux.org>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c
index 188bc8496a264feb05758e36cd7c2e23dea37b63..d02be78a41386b2ecb94c249cff8da11776ecb4a 100644 (file)
--- a/drivers/parisc/led.c
+++ b/drivers/parisc/led.c
@@ -176,16 +176,18 @@ static ssize_t led_proc_write(struct file *file, const char *buf,
        size_t count, loff_t *pos)
 {
        void *data = PDE(file->f_path.dentry->d_inode)->data;
-       char *cur, lbuf[count + 1];
+       char *cur, lbuf[32];
        int d;
 
        if (!capable(CAP_SYS_ADMIN))
                return -EACCES;
 
-       memset(lbuf, 0, count + 1);
+       if (count >= sizeof(lbuf))
+               count = sizeof(lbuf)-1;
 
        if (copy_from_user(lbuf, buf, count))
                return -EFAULT;
+       lbuf[count] = 0;
 
        cur = lbuf;